Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 6 Jan 2011 14:04:57 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>, lists@...g.net
Subject: Re: CVE Request: Eclipse IDE Version: 3.6.1 | Help
 Server Local Cross Site Scripting (XSS)

Please use CVE-2010-4647 for this.

Thanks.

-- 
    JB


----- Original Message -----
> ==============================================================================
> Eclipse IDE | Help Server Local Cross Site Scripting (XSS)
> Vulnerability
> ==============================================================================
> 
> 
> 1. OVERVIEW
> 
> The Help Content web application of Eclipse IDE was vulnerable to
> Cross Site Scripting (XSS) Vulnerability.
> 
> 
> 2. PRODUCT DESCRIPTION
> 
> Eclipse is a multi-language software development environment
> comprising an integrated development environment (IDE) and an
> extensible plug-in system. It is written mostly in Java and can be
> used to develop applications in Java and, by means of various
> plug-ins, other programming languages including Ada, C, C++, COBOL,
> Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala,
> and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT
> for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> Eclipse Help Contents are served as a web application via the built-in
> Jetty Web Server plugin. Cross Site Scripting vulnerabilities were
> found in /help/index.jsp and /help/advanced/content.jsp URLs. XSS on
> /help/advanced/content.jsp url makes the browser hang
> but even after clicking "Stop Executing" button, users can still get
> XSS.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Eclipse IDE Version: 3.6.1 <=
> 
> Tested Editions(SDK, Java, J2EE)
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)
> http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)
> 
> Script-Check:
> Request: /advanced/content.jsp?'onload='alert(0)
> Response: src='contentToolbar.jsp?'onload='alert(0)'
> 
> 
> 6. IMPACT
> 
> In a situation where users' browser security settings are weak, the
> localized XSS vector could enable attackers to perform a number of
> black acts including cross site content access, smb shares
> enumeration, remote code execution, malicious trojan downloading and
> execution ...etc.
> 
> 
> 7. SOLUTION
> 
> Apply the recent error-free nightly builds (ie.
> http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php)
> .
> According to the developer, "Chris Goldthorpe", the fix is in the
> nightly build,
> http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php
> , it will also be in 3.6.2 (February 2011) and 3.7 (June 2011).
> 
> 
> 8. VENDOR
> 
> Eclipse Developers Team
> http://www.eclipse.org/
> 
> 
> 9. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 10. DISCLOSURE TIME-LINE
> 
> 2010-11-04 : vulnerability discovered
> 2010-11-05 : notified vendor
> 2010-11-08 : patch released and applied to svn
> 2010-11-16 : vulnerability disclosed
> 
> 
> 11. REFERENCES
> 
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
> Eclipse Bug Tracker:
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
> Previous XSS Flaws:
> http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
> (searchView.jsp, workingSetManager.jsp)
> Cross Environment Hopping:
> http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html
> About Eclipse IDE:
> https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29
> 
> #yehg [2010-11-16]
> 
> last updated: 2010-12-24

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.