Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <AANLkTikGHZ1z8w4b=dw0Wf5DSU8iUDWL6y=ZBh=G87YL@mail.gmail.com>
Date: Thu, 6 Jan 2011 17:14:30 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Eclipse IDE Version: 3.6.1 | Help Server Local Cross
 Site Scripting (XSS)

==============================================================================
 Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability
==============================================================================


1. OVERVIEW

The Help Content web application of Eclipse IDE was vulnerable to
Cross Site Scripting (XSS) Vulnerability.


2. PRODUCT DESCRIPTION

Eclipse is a multi-language software development environment
comprising an integrated development environment (IDE) and an
extensible plug-in system. It is written mostly in Java and can be
used to develop applications in Java and, by means of various
plug-ins, other programming languages including Ada, C, C++, COBOL,
Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala,
and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT
for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP.


3. VULNERABILITY DESCRIPTION

Eclipse Help Contents are served as a web application via the built-in
Jetty Web Server plugin. Cross Site Scripting vulnerabilities were
found in  /help/index.jsp and /help/advanced/content.jsp URLs. XSS on
/help/advanced/content.jsp url makes the browser hang
but even after clicking "Stop Executing" button, users can still get XSS.


4. VERSIONS AFFECTED

Eclipse IDE Version: 3.6.1 <=

Tested Editions(SDK, Java, J2EE)


5. PROOF-OF-CONCEPT/EXPLOIT

http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)
http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)

Script-Check:
Request: /advanced/content.jsp?'onload='alert(0)	
Response: src='contentToolbar.jsp?'onload='alert(0)'


6. IMPACT

In a situation where users' browser security settings are weak, the
localized XSS vector could enable attackers to perform a number of
black acts including cross site content access, smb shares
enumeration, remote code execution, malicious trojan downloading and
execution ...etc.


7. SOLUTION

Apply the recent error-free nightly builds (ie.
http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php)
.
According to the developer, "Chris Goldthorpe", the fix is in the
nightly build, http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php
, it will also be in 3.6.2 (February 2011) and 3.7 (June 2011).


8. VENDOR

Eclipse Developers Team
http://www.eclipse.org/


9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


10. DISCLOSURE TIME-LINE

2010-11-04 : vulnerability discovered
2010-11-05 : notified vendor
2010-11-08 : patch released and applied to svn
2010-11-16 : vulnerability disclosed


11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
Previous XSS Flaws:
http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
(searchView.jsp, workingSetManager.jsp)
Cross Environment Hopping:
http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html
About Eclipse IDE:
https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29

#yehg [2010-11-16]

last updated: 2010-12-24

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.