Bug 661901 - (CVE-2010-4647) CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20101116,reported=2...
: Security
Depends On: 662967 670946
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-09 17:42 EST by Vincent Danen
Modified: 2015-08-19 05:01 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 07:47:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Eclipse Project 329582 None None None Never

  None (edit)
Description Vincent Danen 2010-12-09 17:42:15 EST
It was reported [1] that the Eclipse Help Contents were vulnerable to Cross Site Scripting vulnerabilities in the /help/index.jsp and /help/advanced/content.jsp URLs that are served by the built-in Jetty Web Server plugin.

There is an upstream bug [2] and according to the reporter, this is corrected upstream (as of nightlies dating back to 20101110).

[1] http://yehg.net/lab/pr0js/advisories/eclipse/%5Beclipse_help_server%5D_cross_site_scripting
Comment 2 Vincent Danen 2011-01-06 12:32:35 EST
Upstream bug is here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
Comment 3 Vincent Danen 2011-01-06 14:29:52 EST
This has been assigned the name CVE-2010-4647:

http://article.gmane.org/gmane.comp.security.oss.general/4059
Comment 4 Michal Nowak 2011-01-12 08:00:07 EST
How do I trigger the bug actually?

Using Eclipse 3.5.2 from RHEL6.0.

1)

Well, I started Eclipse and it's Help Contents browser and in Firefox inserted this address

  http://localhost:38336/help/index.jsp?'onload='alert(0)

I can see page "Using the help system" and that's what'd expect.

2)

I changed notices.html from org.eclipse.platform.doc.user_3.5.2.r352_v20091111-0800.jar to contain following code

<p>
<a href="/help/index.jsp?'onload='alert(0)">I am bad guy.</a>
</p>

<p>
<a href="/help/advanced/content.jsp?'onload='alert(0)">I am bad guy #2.</a>
</p>


Then I created malformed JAR package and placed it to java path, restarted Eclipse and it's Help Contents browser, gained notices.html page (called "Legal"). There I can see two new links, first of them shows help/index.jsp in frames and the second one displays help/advanced/content.jsp as a single page. Nothing unusual.
Comment 5 Severin Gehwolf 2011-01-12 09:19:36 EST
FWIW, I included a fix for this bug in rawhide, F14 and F13 a while back. The fix does nothing bug URL encode relevant parts. The F13 link is here:
http://pkgs.fedoraproject.org/gitweb/?p=eclipse.git;a=commit;h=5c1617b9de63689d9682289def570666267d8ebe
Comment 6 Severin Gehwolf 2011-01-12 09:22:56 EST
I might as well add that I was, too, unable to reproducing this.
Comment 7 Vincent Danen 2011-01-13 16:49:05 EST
Since this issue is quite similar, I'm adding a second CVE to this bug.

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7271 to
the following vulnerability:

Name: CVE-2008-7271
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271
Assigned: 20110113
Reference: MISC: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
Reference: MISC: https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539

Multiple cross-site scripting (XSS) vulnerabilities in the Help
Contents web application (aka the Help Server) in Eclipse IDE,
possibly 3.3.2, allow remote attackers to inject arbitrary web script
or HTML via (1) the searchWord parameter to
help/advanced/searchView.jsp or (2) the workingSet parameter in an add
action to help/advanced/workingSetManager.jsp, a different issue than
CVE-2010-4647.

Unfortunately, the upstream bug report is private so cannot get further details from there.
Comment 8 Michal Nowak 2011-01-14 06:27:50 EST
Was the last vulnerability addressed in 3.6 eclipse update?
Comment 9 Vincent Danen 2011-01-14 11:32:52 EST
(In reply to comment #8)
> Was the last vulnerability addressed in 3.6 eclipse update?

The blog entry makes a vague reference to it being fixed, but doesn't specify when or what version and the upstream bug is private.  I suppose the best way to know for certain is to test whether or not what the blog illustrates still works (or see if we can find someone who can look at that upstream report).
Comment 14 Vincent Danen 2011-01-19 13:06:10 EST
For CVE-2008-7271, these issues should be fixed in Eclipse 3.6, via:

/help/advanced/searchView.jsp:
  Bug 223980 � [Webapp] Unencoded strings inserted into JavaScript
  http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/searchView.jsp?r1=1.31&r2=1.32

  Bug 271049 -  [Webapp][Security] XSS vulnerabilities in Eclipse 3.4 help system
  http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/searchView.jsp?r1=1.32&r2=1.32.2.1


/help/advanced/workingSetManager.jsp:
  Bug 223980 � [Webapp] Unencoded strings inserted into JavaScript
  http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/workingSetManager.jsp?r1=1.59&r2=1.60

  Bug 271049 � [Webapp] XSS vulnerabilities in Eclipse 3.4 help system
  http://dev.eclipse.org/viewcvs/viewvc.cgi/org.eclipse.help.webapp/advanced/workingSetManager.jsp?r1=1.62&r2=1.63
Comment 16 Vincent Danen 2011-01-19 13:18:12 EST
I'm splitting out CVE-2008-7271 into its own bug since it does not affect RHEL6.
Comment 17 Vincent Danen 2011-01-19 13:22:20 EST
Created eclipse tracking bugs for this issue

Affects: fedora-all [bug 670946]
Comment 18 Vincent Danen 2011-01-19 13:26:18 EST
This has been addressed in Fedora via:

FEDORA-2010-18894 	eclipse-3.5.2-3.fc13
FEDORA-2010-18897 	eclipse-3.6.1-6.fc14
Comment 19 Vincent Danen 2011-01-19 13:51:04 EST
Lowering the impact due to the fact that you must have Eclipse running at the time you visit a malicious web site.  Also, the web server that serves up the help contents randomizes the port number each time it starts, so the malicious site needs to guess what port it is listening on (i.e. first run here was on port 52621, second run on 50193).
Comment 20 Vincent Danen 2011-01-19 13:52:57 EST
Statement:

(none)
Comment 25 errata-xmlrpc 2011-05-19 07:42:52 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0568 https://rhn.redhat.com/errata/RHSA-2011-0568.html

Note You need to log in before you can comment on or make changes to this bug.