Date: Thu, 6 Jan 2011 17:14:30 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: oss-security@...ts.openwall.com Subject: CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS) ============================================================================== Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability ============================================================================== 1. OVERVIEW The Help Content web application of Eclipse IDE was vulnerable to Cross Site Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION Eclipse is a multi-language software development environment comprising an integrated development environment (IDE) and an extensible plug-in system. It is written mostly in Java and can be used to develop applications in Java and, by means of various plug-ins, other programming languages including Ada, C, C++, COBOL, Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala, and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP. 3. VULNERABILITY DESCRIPTION Eclipse Help Contents are served as a web application via the built-in Jetty Web Server plugin. Cross Site Scripting vulnerabilities were found in /help/index.jsp and /help/advanced/content.jsp URLs. XSS on /help/advanced/content.jsp url makes the browser hang but even after clicking "Stop Executing" button, users can still get XSS. 4. VERSIONS AFFECTED Eclipse IDE Version: 3.6.1 <= Tested Editions(SDK, Java, J2EE) 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0) http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0) Script-Check: Request: /advanced/content.jsp?'onload='alert(0) Response: src='contentToolbar.jsp?'onload='alert(0)' 6. IMPACT In a situation where users' browser security settings are weak, the localized XSS vector could enable attackers to perform a number of black acts including cross site content access, smb shares enumeration, remote code execution, malicious trojan downloading and execution ...etc. 7. SOLUTION Apply the recent error-free nightly builds (ie. http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php) . According to the developer, "Chris Goldthorpe", the fix is in the nightly build, http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php , it will also be in 3.6.2 (February 2011) and 3.7 (June 2011). 8. VENDOR Eclipse Developers Team http://www.eclipse.org/ 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2010-11-04 : vulnerability discovered 2010-11-05 : notified vendor 2010-11-08 : patch released and applied to svn 2010-11-16 : vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582 Previous XSS Flaws: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html (searchView.jsp, workingSetManager.jsp) Cross Environment Hopping: http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html About Eclipse IDE: https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29 #yehg [2010-11-16] last updated: 2010-12-24
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.