Bug 654596 - VUL-1: eclipse: Help Server Local Cross Site Scripting (XSS) Vulnerability
VUL-1: eclipse: Help Server Local Cross Site Scripting (XSS) Vulnerability
Status: RESOLVED NORESPONSE
: 662929 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: E-mail List
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-18 11:25 UTC by Thomas Biege
Modified: 2016-04-27 18:58 UTC (History)
2 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2010-11-18 11:25:17 UTC
Hi.
There is a security bug in package 'eclipse'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://localhost:


Original posting:


----------  Weitergeleitete Nachricht  ----------

Betreff: Eclipse IDE | Help Server Local Cross Site Scripting (XSS) 
Vulnerability
Datum: Dienstag 16 November 2010
Von: YGN Ethical Hacker Group <lists@yehg.net>
An: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, 
bugs@securitytracker.com, vuln@secunia.com, secalert@securityreason.com, 
news@securiteam.com, vuln@security.nnov.ru

=========================================================
 Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability
=========================================================


1. OVERVIEW

The Help Content web application of Eclipse IDE was vulnerable to
Cross Site Scripting (XSS) Vulnerability.


2. PRODUCT DESCRIPTION

Eclipse is a multi-language software development environment
comprising an integrated development environment (IDE) and an
extensible plug-in system. It is written mostly in Java and can be
used to develop applications in Java and, by means of various
plug-ins, other programming languages including Ada, C, C++, COBOL,
Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala,
and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT
for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP.


3. VULNERABILITY DESCRIPTION

Eclipse Help Contents are served as a web application via the built-in
Jetty Web Server plugin. Cross Site Scripting vulnerabilities were
found in  /help/index.jsp and /help/advanced/content.jsp URLs. XSS on
/help/advanced/content.jsp url makes the browser hang
but even after clicking "Stop Executing" button, users can still get XSS.


4. VERSIONS AFFECTED

Eclipse IDE Version: 3.6.1 <=

Tested Editions(SDK, Java, J2EE)


5. PROOF-OF-CONCEPT/EXPLOIT

http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)
http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)


6. IMPACT

In a situation where users' browser security settings are weak, the
localized XSS vector could enable attackers to perform a number of
black acts including cross site content access, smb shares
enumeration, remote code execution, malicious trojan downloading and
execution ...etc.


7. SOLUTION

Apply the recent error-free nightly builds (ie.
http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php)
.
According to the developer, "Chris Goldthorpe", the fix is in the
nightly build, 
http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php
, it will also be in 3.6.2 (February 2011) and 3.7 (June 2011).


8. VENDOR

Eclipse Developers Team
http://www.eclipse.org/


9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


10. DISCLOSURE TIME-LINE

2010-11-04 : vulnerability discovered
2010-11-05 : notified vendor
2010-11-08 : patch released and applied to svn
2010-11-16 : vulnerability disclosed


11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
Previous XSS Flaws:
http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
(searchView.jsp, workingSetManager.jsp)
Cross Environment Hopping:
http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html
About Eclipse IDE:
https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29

#yehg [2010-11-16]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

-------------------------------------------------------------
Comment 1 Thomas Biege 2010-11-18 13:05:22 UTC
P5 -> P3 mass change
Comment 3 Thomas Biege 2011-01-07 10:56:12 UTC
*** Bug 662929 has been marked as a duplicate of this bug. ***
Comment 4 Thomas Biege 2011-01-20 10:54:04 UTC
CVE-2008-7271: CVSS v2 Base Score: 2.6 (low) (AV:N/AC:H/Au:N/C:N/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)


CVE-ID: CVE-2008-7271
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271

+
Multiple cross-site scripting (XSS) vulnerabilities in the Help
Contents web application (aka the Help Server) in Eclipse IDE,
possibly 3.3.2, allow remote attackers to inject arbitrary web script
or HTML via (1) the searchWord parameter to
help/advanced/searchView.jsp or (2) the workingSet parameter in an add
action to help/advanced/workingSetManager.jsp, a different issue than
CVE-2010-4647.
+
+
Current Votes:
None (candidate not yet proposed)
Comment 5 Marcus Meissner 2013-04-05 15:09:29 UTC
All products affected expired in the meantime.