Bug 661901 (CVE-2010-4647) - CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
Summary: CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4647
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20101116,reported=2...
Depends On: 662967 670946
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-09 22:42 UTC by Vincent Danen
Modified: 2019-06-08 18:41 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 12:47:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0568 normal SHIPPED_LIVE Low: eclipse security, bug fix, and enhancement update 2011-05-19 11:42:43 UTC
Eclipse Project 329582 None None None Never

Description Vincent Danen 2010-12-09 22:42:15 UTC
It was reported [1] that the Eclipse Help Contents were vulnerable to Cross Site Scripting vulnerabilities in the /help/index.jsp and /help/advanced/content.jsp URLs that are served by the built-in Jetty Web Server plugin.

There is an upstream bug [2] and according to the reporter, this is corrected upstream (as of nightlies dating back to 20101110).

[1] http://yehg.net/lab/pr0js/advisories/eclipse/%5Beclipse_help_server%5D_cross_site_scripting

Comment 2 Vincent Danen 2011-01-06 17:32:35 UTC
Upstream bug is here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582

Comment 3 Vincent Danen 2011-01-06 19:29:52 UTC
This has been assigned the name CVE-2010-4647:

http://article.gmane.org/gmane.comp.security.oss.general/4059

Comment 4 Michal Nowak 2011-01-12 13:00:07 UTC
How do I trigger the bug actually?

Using Eclipse 3.5.2 from RHEL6.0.

1)

Well, I started Eclipse and it's Help Contents browser and in Firefox inserted this address

  http://localhost:38336/help/index.jsp?'onload='alert(0)

I can see page "Using the help system" and that's what'd expect.

2)

I changed notices.html from org.eclipse.platform.doc.user_3.5.2.r352_v20091111-0800.jar to contain following code

<p>
<a href="/help/index.jsp?'onload='alert(0)">I am bad guy.</a>
</p>

<p>
<a href="/help/advanced/content.jsp?'onload='alert(0)">I am bad guy #2.</a>
</p>


Then I created malformed JAR package and placed it to java path, restarted Eclipse and it's Help Contents browser, gained notices.html page (called "Legal"). There I can see two new links, first of them shows help/index.jsp in frames and the second one displays help/advanced/content.jsp as a single page. Nothing unusual.

Comment 5 Severin Gehwolf 2011-01-12 14:19:36 UTC
FWIW, I included a fix for this bug in rawhide, F14 and F13 a while back. The fix does nothing bug URL encode relevant parts. The F13 link is here:
http://pkgs.fedoraproject.org/gitweb/?p=eclipse.git;a=commit;h=5c1617b9de63689d9682289def570666267d8ebe

Comment 6 Severin Gehwolf 2011-01-12 14:22:56 UTC
I might as well add that I was, too, unable to reproducing this.

Comment 7 Vincent Danen 2011-01-13 21:49:05 UTC
Since this issue is quite similar, I'm adding a second CVE to this bug.

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7271 to
the following vulnerability:

Name: CVE-2008-7271
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271
Assigned: 20110113
Reference: MISC: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
Reference: MISC: https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539

Multiple cross-site scripting (XSS) vulnerabilities in the Help
Contents web application (aka the Help Server) in Eclipse IDE,
possibly 3.3.2, allow remote attackers to inject arbitrary web script
or HTML via (1) the searchWord parameter to
help/advanced/searchView.jsp or (2) the workingSet parameter in an add
action to help/advanced/workingSetManager.jsp, a different issue than
CVE-2010-4647.

Unfortunately, the upstream bug report is private so cannot get further details from there.

Comment 8 Michal Nowak 2011-01-14 11:27:50 UTC
Was the last vulnerability addressed in 3.6 eclipse update?

Comment 9 Vincent Danen 2011-01-14 16:32:52 UTC
(In reply to comment #8)
> Was the last vulnerability addressed in 3.6 eclipse update?

The blog entry makes a vague reference to it being fixed, but doesn't specify when or what version and the upstream bug is private.  I suppose the best way to know for certain is to test whether or not what the blog illustrates still works (or see if we can find someone who can look at that upstream report).

Comment 14 Vincent Danen 2011-01-19 18:06:10 UTC
For CVE-2008-7271, these issues should be fixed in Eclipse 3.6, via:

/help/advanced/searchView.jsp:
  Bug 223980 � [Webapp] Unencoded strings inserted into JavaScript
  http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/searchView.jsp?r1=1.31&r2=1.32

  Bug 271049 -  [Webapp][Security] XSS vulnerabilities in Eclipse 3.4 help system
  http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/searchView.jsp?r1=1.32&r2=1.32.2.1


/help/advanced/workingSetManager.jsp:
  Bug 223980 � [Webapp] Unencoded strings inserted into JavaScript
  http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/workingSetManager.jsp?r1=1.59&r2=1.60

  Bug 271049 � [Webapp] XSS vulnerabilities in Eclipse 3.4 help system
  http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/workingSetManager.jsp?r1=1.62&r2=1.63

Comment 16 Vincent Danen 2011-01-19 18:18:12 UTC
I'm splitting out CVE-2008-7271 into its own bug since it does not affect RHEL6.

Comment 17 Vincent Danen 2011-01-19 18:22:20 UTC
Created eclipse tracking bugs for this issue

Affects: fedora-all [bug 670946]

Comment 18 Vincent Danen 2011-01-19 18:26:18 UTC
This has been addressed in Fedora via:

FEDORA-2010-18894 	eclipse-3.5.2-3.fc13
FEDORA-2010-18897 	eclipse-3.6.1-6.fc14

Comment 19 Vincent Danen 2011-01-19 18:51:04 UTC
Lowering the impact due to the fact that you must have Eclipse running at the time you visit a malicious web site.  Also, the web server that serves up the help contents randomizes the port number each time it starts, so the malicious site needs to guess what port it is listening on (i.e. first run here was on port 52621, second run on 50193).

Comment 20 Vincent Danen 2011-01-19 18:52:57 UTC
Statement:

(none)

Comment 25 errata-xmlrpc 2011-05-19 11:42:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0568 https://rhn.redhat.com/errata/RHSA-2011-0568.html


Note You need to log in before you can comment on or make changes to this bug.