Date: Thu, 6 Jan 2011 14:04:57 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org>, lists@...g.net Subject: Re: CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS) Please use CVE-2010-4647 for this. Thanks. -- JB ----- Original Message ----- > ============================================================================== > Eclipse IDE | Help Server Local Cross Site Scripting (XSS) > Vulnerability > ============================================================================== > > > 1. OVERVIEW > > The Help Content web application of Eclipse IDE was vulnerable to > Cross Site Scripting (XSS) Vulnerability. > > > 2. PRODUCT DESCRIPTION > > Eclipse is a multi-language software development environment > comprising an integrated development environment (IDE) and an > extensible plug-in system. It is written mostly in Java and can be > used to develop applications in Java and, by means of various > plug-ins, other programming languages including Ada, C, C++, COBOL, > Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala, > and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT > for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP. > > > 3. VULNERABILITY DESCRIPTION > > Eclipse Help Contents are served as a web application via the built-in > Jetty Web Server plugin. Cross Site Scripting vulnerabilities were > found in /help/index.jsp and /help/advanced/content.jsp URLs. XSS on > /help/advanced/content.jsp url makes the browser hang > but even after clicking "Stop Executing" button, users can still get > XSS. > > > 4. VERSIONS AFFECTED > > Eclipse IDE Version: 3.6.1 <= > > Tested Editions(SDK, Java, J2EE) > > > 5. PROOF-OF-CONCEPT/EXPLOIT > > http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0) > http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0) > > Script-Check: > Request: /advanced/content.jsp?'onload='alert(0) > Response: src='contentToolbar.jsp?'onload='alert(0)' > > > 6. IMPACT > > In a situation where users' browser security settings are weak, the > localized XSS vector could enable attackers to perform a number of > black acts including cross site content access, smb shares > enumeration, remote code execution, malicious trojan downloading and > execution ...etc. > > > 7. SOLUTION > > Apply the recent error-free nightly builds (ie. > http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php) > . > According to the developer, "Chris Goldthorpe", the fix is in the > nightly build, > http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php > , it will also be in 3.6.2 (February 2011) and 3.7 (June 2011). > > > 8. VENDOR > > Eclipse Developers Team > http://www.eclipse.org/ > > > 9. CREDIT > > This vulnerability was discovered by Aung Khant, http://yehg.net, YGN > Ethical Hacker Group, Myanmar. > > > 10. DISCLOSURE TIME-LINE > > 2010-11-04 : vulnerability discovered > 2010-11-05 : notified vendor > 2010-11-08 : patch released and applied to svn > 2010-11-16 : vulnerability disclosed > > > 11. REFERENCES > > Original Advisory URL: > http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting > Eclipse Bug Tracker: > https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582 > Previous XSS Flaws: > http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html > (searchView.jsp, workingSetManager.jsp) > Cross Environment Hopping: > http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html > About Eclipse IDE: > https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29 > > #yehg [2010-11-16] > > last updated: 2010-12-24
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.