2012-02-21 23:57:42 PST
I have 2 web app, one java webapp and another php webapp. They are installed in 2 servers (
www.a.com for java and b.a.com for php). They are both using josso 1.4.
Recently, the hosting provider did a security risk assessment and they commented that the php web server has the following vulnerability:
tcp/443 is opened. Apache Struts s:a / s:url Tag href Element XSS, the web application with multiple cross-site scripting vulnerabilities.
Risk: Medium
Recommendation: Upgrade to Struts version 2.1.1 / 2.0.11.1 or later.
I find the josso 1.4 agent is using Struts 1.1 as one of the library. I tried to find a recent version that may be using Struts 2 but I find that the same library is still being used for josso 1.7. My web server is apache 2 and the app server is jboss 4.0.3 and both systems are on RHEL4.
I think that josso should have sanitized the input but I haven't check for this. I have no idea about how to handle this issue. Can I change my Struts library to use Struts 2? Many thanks.
