Date: Thu, 6 Jan 2011 14:04:57 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org>, lists@...g.net Subject: Re: CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross Site Scripting (XSS) Please use CVE-2010-4647 for this. Thanks. -- JB ----- Original Message ----- > ============================================================================== > Eclipse IDE | Help Server Local Cross Site Scripting (XSS) > Vulnerability > ============================================================================== > > > 1. OVERVIEW > > The Help Content web application of Eclipse IDE was vulnerable to > Cross Site Scripting (XSS) Vulnerability. > > > 2. PRODUCT DESCRIPTION > > Eclipse is a multi-language software development environment > comprising an integrated development environment (IDE) and an > extensible plug-in system. It is written mostly in Java and can be > used to develop applications in Java and, by means of various > plug-ins, other programming languages including Ada, C, C++, COBOL, > Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala, > and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT > for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP. > > > 3. VULNERABILITY DESCRIPTION > > Eclipse Help Contents are served as a web application via the built-in > Jetty Web Server plugin. Cross Site Scripting vulnerabilities were > found in /help/index.jsp and /help/advanced/content.jsp URLs. XSS on > /help/advanced/content.jsp url makes the browser hang > but even after clicking "Stop Executing" button, users can still get > XSS. > > > 4. VERSIONS AFFECTED > > Eclipse IDE Version: 3.6.1 <= > > Tested Editions(SDK, Java, J2EE) > > > 5. PROOF-OF-CONCEPT/EXPLOIT > > http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0) > http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0) > > Script-Check: > Request: /advanced/content.jsp?'onload='alert(0) > Response: src='contentToolbar.jsp?'onload='alert(0)' > > > 6. IMPACT > > In a situation where users' browser security settings are weak, the > localized XSS vector could enable attackers to perform a number of > black acts including cross site content access, smb shares > enumeration, remote code execution, malicious trojan downloading and > execution ...etc. > > > 7. SOLUTION > > Apply the recent error-free nightly builds (ie. > http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php) > . > According to the developer, "Chris Goldthorpe", the fix is in the > nightly build, > http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php > , it will also be in 3.6.2 (February 2011) and 3.7 (June 2011). > > > 8. VENDOR > > Eclipse Developers Team > http://www.eclipse.org/ > > > 9. CREDIT > > This vulnerability was discovered by Aung Khant, http://yehg.net, YGN > Ethical Hacker Group, Myanmar. > > > 10. DISCLOSURE TIME-LINE > > 2010-11-04 : vulnerability discovered > 2010-11-05 : notified vendor > 2010-11-08 : patch released and applied to svn > 2010-11-16 : vulnerability disclosed > > > 11. REFERENCES > > Original Advisory URL: > http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting > Eclipse Bug Tracker: > https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582 > Previous XSS Flaws: > http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html > (searchView.jsp, workingSetManager.jsp) > Cross Environment Hopping: > http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html > About Eclipse IDE: > https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29 > > #yehg [2010-11-16] > > last updated: 2010-12-24
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ