Hide Forgot
It was reported [1] that the Eclipse Help Contents were vulnerable to Cross Site Scripting vulnerabilities in the /help/index.jsp and /help/advanced/content.jsp URLs that are served by the built-in Jetty Web Server plugin. There is an upstream bug [2] and according to the reporter, this is corrected upstream (as of nightlies dating back to 20101110). [1] http://yehg.net/lab/pr0js/advisories/eclipse/%5Beclipse_help_server%5D_cross_site_scripting
Upstream bug is here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
This has been assigned the name CVE-2010-4647: http://article.gmane.org/gmane.comp.security.oss.general/4059
How do I trigger the bug actually? Using Eclipse 3.5.2 from RHEL6.0. 1) Well, I started Eclipse and it's Help Contents browser and in Firefox inserted this address http://localhost:38336/help/index.jsp?'onload='alert(0) I can see page "Using the help system" and that's what'd expect. 2) I changed notices.html from org.eclipse.platform.doc.user_3.5.2.r352_v20091111-0800.jar to contain following code <p> <a href="/help/index.jsp?'onload='alert(0)">I am bad guy.</a> </p> <p> <a href="/help/advanced/content.jsp?'onload='alert(0)">I am bad guy #2.</a> </p> Then I created malformed JAR package and placed it to java path, restarted Eclipse and it's Help Contents browser, gained notices.html page (called "Legal"). There I can see two new links, first of them shows help/index.jsp in frames and the second one displays help/advanced/content.jsp as a single page. Nothing unusual.
FWIW, I included a fix for this bug in rawhide, F14 and F13 a while back. The fix does nothing bug URL encode relevant parts. The F13 link is here: http://pkgs.fedoraproject.org/gitweb/?p=eclipse.git;a=commit;h=5c1617b9de63689d9682289def570666267d8ebe
I might as well add that I was, too, unable to reproducing this.
Since this issue is quite similar, I'm adding a second CVE to this bug. Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7271 to the following vulnerability: Name: CVE-2008-7271 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271 Assigned: 20110113 Reference: MISC: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html Reference: MISC: https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539 Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647. Unfortunately, the upstream bug report is private so cannot get further details from there.
Was the last vulnerability addressed in 3.6 eclipse update?
(In reply to comment #8) > Was the last vulnerability addressed in 3.6 eclipse update? The blog entry makes a vague reference to it being fixed, but doesn't specify when or what version and the upstream bug is private. I suppose the best way to know for certain is to test whether or not what the blog illustrates still works (or see if we can find someone who can look at that upstream report).
For CVE-2008-7271, these issues should be fixed in Eclipse 3.6, via: /help/advanced/searchView.jsp: Bug 223980 � [Webapp] Unencoded strings inserted into JavaScript http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/searchView.jsp?r1=1.31&r2=1.32 Bug 271049 - [Webapp][Security] XSS vulnerabilities in Eclipse 3.4 help system http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/searchView.jsp?r1=1.32&r2=1.32.2.1 /help/advanced/workingSetManager.jsp: Bug 223980 � [Webapp] Unencoded strings inserted into JavaScript http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/workingSetManager.jsp?r1=1.59&r2=1.60 Bug 271049 � [Webapp] XSS vulnerabilities in Eclipse 3.4 help system http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/workingSetManager.jsp?r1=1.62&r2=1.63
I'm splitting out CVE-2008-7271 into its own bug since it does not affect RHEL6.
Created eclipse tracking bugs for this issue Affects: fedora-all [bug 670946]
This has been addressed in Fedora via: FEDORA-2010-18894 eclipse-3.5.2-3.fc13 FEDORA-2010-18897 eclipse-3.6.1-6.fc14
Lowering the impact due to the fact that you must have Eclipse running at the time you visit a malicious web site. Also, the web server that serves up the help contents randomizes the port number each time it starts, so the malicious site needs to guess what port it is listening on (i.e. first run here was on port 52621, second run on 50193).
Statement: (none)
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0568 https://rhn.redhat.com/errata/RHSA-2011-0568.html