Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25143
HistoryNov 18, 2010 - 12:00 a.m.

Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability

2010-11-1800:00:00
vulners.com
25

=========================================================
Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability

  1. OVERVIEW

The Help Content web application of Eclipse IDE was vulnerable to
Cross Site Scripting (XSS) Vulnerability.

  1. PRODUCT DESCRIPTION

Eclipse is a multi-language software development environment
comprising an integrated development environment (IDE) and an
extensible plug-in system. It is written mostly in Java and can be
used to develop applications in Java and, by means of various
plug-ins, other programming languages including Ada, C, C++, COBOL,
Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala,
and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT
for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP.

  1. VULNERABILITY DESCRIPTION

Eclipse Help Contents are served as a web application via the built-in
Jetty Web Server plugin. Cross Site Scripting vulnerabilities were
found in /help/index.jsp and /help/advanced/content.jsp URLs. XSS on
/help/advanced/content.jsp url makes the browser hang
but even after clicking "Stop Executing" button, users can still get XSS.

  1. VERSIONS AFFECTED

Eclipse IDE Version: 3.6.1 <=

Tested Editions(SDK, Java, J2EE)

  1. PROOF-OF-CONCEPT/EXPLOIT

http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)
http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)

  1. IMPACT

In a situation where users' browser security settings are weak, the
localized XSS vector could enable attackers to perform a number of
black acts including cross site content access, smb shares
enumeration, remote code execution, malicious trojan downloading and
execution …etc.

  1. SOLUTION

Apply the recent error-free nightly builds (ie.
http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php&#41;
.
According to the developer, "Chris Goldthorpe", the fix is in the
nightly build, http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php
, it will also be in 3.6.2 (February 2011) and 3.7 (June 2011).

  1. VENDOR

Eclipse Developers Team
http://www.eclipse.org/

  1. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

  1. DISCLOSURE TIME-LINE

2010-11-04 : vulnerability discovered
2010-11-05 : notified vendor
2010-11-08 : patch released and applied to svn
2010-11-16 : vulnerability disclosed

  1. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting
Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582
Previous XSS Flaws:
http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html
(searchView.jsp, workingSetManager.jsp)
Cross Environment Hopping:
http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html
About Eclipse IDE:
https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_&#37;28software&#37;29

#yehg [2010-11-16]


Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd