Bug 654596

Summary: VUL-1: eclipse: Help Server Local Cross Site Scripting (XSS) Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: GeneralAssignee: E-mail List <bnc-team-java>
Status: RESOLVED NORESPONSE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2010-11-18 11:25:17 UTC 
Hi.
There is a security bug in package 'eclipse'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://localhost:


Original posting:


----------  Weitergeleitete Nachricht  ----------

Betreff: Eclipse IDE | Help Server Local Cross Site Scripting (XSS) 
Vulnerability
Datum: Dienstag 16 November 2010
Von: YGN Ethical Hacker Group <lists@yehg.net>
An: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, 
bugs@securitytracker.com, vuln@secunia.com, secalert@securityreason.com, 
news@securiteam.com, vuln@security.nnov.ru

=========================================================
 Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability
=========================================================


1. OVERVIEW

The Help Content web application of Eclipse IDE was vulnerable to
Cross Site Scripting (XSS) Vulnerability.


2. PRODUCT DESCRIPTION

Eclipse is a multi-language software development environment
comprising an integrated development environment (IDE) and an
extensible plug-in system. It is written mostly in Java and can be
used to develop applications in Java and, by means of various
plug-ins, other programming languages including Ada, C, C++, COBOL,
Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala,
and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT
for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP.


3. VULNERABILITY DESCRIPTION

Eclipse Help Contents are served as a web application via the built-in
Jetty Web Server plugin. Cross Site Scripting vulnerabilities were
found in  /help/index.jsp and /help/advanced/content.jsp URLs. XSS on
/help/advanced/content.jsp url makes the browser hang
but even after clicking "Stop Executing" button, users can still get XSS.


4. VERSIONS AFFECTED

Eclipse IDE Version: 3.6.1 <=

Tested Editions(SDK, Java, J2EE)


5. PROOF-OF-CONCEPT/EXPLOIT

http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)
http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)


6. IMPACT

In a situation where users' browser security settings are weak, the
localized XSS vector could enable attackers to perform a number of
black acts including cross site content access, smb shares
enumeration, remote code execution, malicious trojan downloading and
execution ...etc.


7. SOLUTION

Apply the recent error-free nightly builds (ie.
http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php)
.
According to the developer, "Chris Goldthorpe", the fix is in the
nightly build, 
http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php
, it will also be in 3.6.2 (February 2011) and 3.7 (June 2011).


8. VENDOR

Eclipse Developers Team
http://www.eclipse.org/


9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


10. DISCLOSURE TIME-LINE

2010-11-04 : vulnerability discovered
2010-11-05 : notified vendor
2010-11-08 : patch released and applied to svn
2010-11-16 : vulnerability disclosed


11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
Previous XSS Flaws:
http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
(searchView.jsp, workingSetManager.jsp)
Cross Environment Hopping:
http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html
About Eclipse IDE:
https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29

#yehg [2010-11-16]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

-------------------------------------------------------------
Comment 1 Thomas Biege 2010-11-18 13:05:22 UTC 
P5 -> P3 mass change
Comment 3 Thomas Biege 2011-01-07 10:56:12 UTC 
*** Bug 662929 has been marked as a duplicate of this bug. ***
Comment 4 Thomas Biege 2011-01-20 10:54:04 UTC 
CVE-2008-7271: CVSS v2 Base Score: 2.6 (low) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)


CVE-ID: CVE-2008-7271
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271

+
Multiple cross-site scripting (XSS) vulnerabilities in the Help
Contents web application (aka the Help Server) in Eclipse IDE,
possibly 3.3.2, allow remote attackers to inject arbitrary web script
or HTML via (1) the searchWord parameter to
help/advanced/searchView.jsp or (2) the workingSet parameter in an add
action to help/advanced/workingSetManager.jsp, a different issue than
CVE-2010-4647.
+
+
Current Votes:
None (candidate not yet proposed)
Comment 5 Marcus Meissner 2013-04-05 15:09:29 UTC 
All products affected expired in the meantime.