Red Hat Bugzilla – Bug 661901
CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS
Last modified: 2015-08-19 05:01:27 EDT
It was reported  that the Eclipse Help Contents were vulnerable to Cross Site Scripting vulnerabilities in the /help/index.jsp and /help/advanced/content.jsp URLs that are served by the built-in Jetty Web Server plugin.
There is an upstream bug  and according to the reporter, this is corrected upstream (as of nightlies dating back to 20101110).
Upstream bug is here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
This has been assigned the name CVE-2010-4647:
How do I trigger the bug actually?
Using Eclipse 3.5.2 from RHEL6.0.
Well, I started Eclipse and it's Help Contents browser and in Firefox inserted this address
I can see page "Using the help system" and that's what'd expect.
I changed notices.html from org.eclipse.platform.doc.user_3.5.2.r352_v20091111-0800.jar to contain following code
<a href="/help/index.jsp?'onload='alert(0)">I am bad guy.</a>
<a href="/help/advanced/content.jsp?'onload='alert(0)">I am bad guy #2.</a>
Then I created malformed JAR package and placed it to java path, restarted Eclipse and it's Help Contents browser, gained notices.html page (called "Legal"). There I can see two new links, first of them shows help/index.jsp in frames and the second one displays help/advanced/content.jsp as a single page. Nothing unusual.
FWIW, I included a fix for this bug in rawhide, F14 and F13 a while back. The fix does nothing bug URL encode relevant parts. The F13 link is here:
I might as well add that I was, too, unable to reproducing this.
Since this issue is quite similar, I'm adding a second CVE to this bug.
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7271 to
the following vulnerability:
Reference: MISC: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
Reference: MISC: https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539
Multiple cross-site scripting (XSS) vulnerabilities in the Help
Contents web application (aka the Help Server) in Eclipse IDE,
possibly 3.3.2, allow remote attackers to inject arbitrary web script
or HTML via (1) the searchWord parameter to
help/advanced/searchView.jsp or (2) the workingSet parameter in an add
action to help/advanced/workingSetManager.jsp, a different issue than
Unfortunately, the upstream bug report is private so cannot get further details from there.
Was the last vulnerability addressed in 3.6 eclipse update?
(In reply to comment #8)
> Was the last vulnerability addressed in 3.6 eclipse update?
The blog entry makes a vague reference to it being fixed, but doesn't specify when or what version and the upstream bug is private. I suppose the best way to know for certain is to test whether or not what the blog illustrates still works (or see if we can find someone who can look at that upstream report).
For CVE-2008-7271, these issues should be fixed in Eclipse 3.6, via:
Bug 271049 - [Webapp][Security] XSS vulnerabilities in Eclipse 3.4 help system
Bug 271049 � [Webapp] XSS vulnerabilities in Eclipse 3.4 help system
I'm splitting out CVE-2008-7271 into its own bug since it does not affect RHEL6.
Created eclipse tracking bugs for this issue
Affects: fedora-all [bug 670946]
This has been addressed in Fedora via:
Lowering the impact due to the fact that you must have Eclipse running at the time you visit a malicious web site. Also, the web server that serves up the help contents randomizes the port number each time it starts, so the malicious site needs to guess what port it is listening on (i.e. first run here was on port 52621, second run on 50193).
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0568 https://rhn.redhat.com/errata/RHSA-2011-0568.html