Bug 662929 - VUL-0: eclipse: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS)
VUL-0: eclipse: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scr...
Status: RESOLVED DUPLICATE of bug 654596
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: E-mail List
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-07 08:25 UTC by Thomas Biege
Modified: 2011-01-11 13:10 UTC (History)
1 user (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2011-01-07 08:25:19 UTC
Hi.
There is a security bug in package 'eclipse'.

This information is from 'oss-security'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://localhost:

CVE number: CVE-2010-4647
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4647
CVSS v2 Base Score: 4.3 (moderate) (AV:N/AC:M/Au:N/C:N/I:P/A:N)


Original posting:



CVE-2010-4647

----------  Weitergeleitete Nachricht  ----------

Betreff: [oss-security] CVE Request: Eclipse IDE Version: 3.6.1 | Help Server 
Local Cross Site Scripting (XSS)
Datum: Donnerstag 06 Januar 2011
Von: YGN Ethical Hacker Group <lists@yehg.net>
An: oss-security@lists.openwall.com

==============================================================================
 Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability
==============================================================================


1. OVERVIEW

The Help Content web application of Eclipse IDE was vulnerable to
Cross Site Scripting (XSS) Vulnerability.


2. PRODUCT DESCRIPTION

Eclipse is a multi-language software development environment
comprising an integrated development environment (IDE) and an
extensible plug-in system. It is written mostly in Java and can be
used to develop applications in Java and, by means of various
plug-ins, other programming languages including Ada, C, C++, COBOL,
Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala,
and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT
for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP.


3. VULNERABILITY DESCRIPTION

Eclipse Help Contents are served as a web application via the built-in
Jetty Web Server plugin. Cross Site Scripting vulnerabilities were
found in  /help/index.jsp and /help/advanced/content.jsp URLs. XSS on
/help/advanced/content.jsp url makes the browser hang
but even after clicking "Stop Executing" button, users can still get XSS.


4. VERSIONS AFFECTED

Eclipse IDE Version: 3.6.1 <=

Tested Editions(SDK, Java, J2EE)


5. PROOF-OF-CONCEPT/EXPLOIT

http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)
http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)

Script-Check:
Request: /advanced/content.jsp?'onload='alert(0)	
Response: src='contentToolbar.jsp?'onload='alert(0)'


6. IMPACT

In a situation where users' browser security settings are weak, the
localized XSS vector could enable attackers to perform a number of
black acts including cross site content access, smb shares
enumeration, remote code execution, malicious trojan downloading and
execution ...etc.


7. SOLUTION

Apply the recent error-free nightly builds (ie.
http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php)
.
According to the developer, "Chris Goldthorpe", the fix is in the
nightly build, 
http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php
, it will also be in 3.6.2 (February 2011) and 3.7 (June 2011).


8. VENDOR

Eclipse Developers Team
http://www.eclipse.org/


9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


10. DISCLOSURE TIME-LINE

2010-11-04 : vulnerability discovered
2010-11-05 : notified vendor
2010-11-08 : patch released and applied to svn
2010-11-16 : vulnerability disclosed


11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
Previous XSS Flaws:
http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
(searchView.jsp, workingSetManager.jsp)
Cross Environment Hopping:
http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html
About Eclipse IDE:
https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29

#yehg [2010-11-16]

last updated: 2010-12-24

-------------------------------------------------------------
Comment 1 Thomas Biege 2011-01-07 10:56:11 UTC
dup

*** This bug has been marked as a duplicate of bug 654596 ***