Summary: | [Webapp][Security] Eclipse Help Server XSS | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Eclipse Project] Platform | Reporter: | YGN Ethical Hacker Group <ec> | ||||||
Component: | User Assistance | Assignee: | Chris Goldthorpe <cgold> | ||||||
Status: | RESOLVED FIXED | QA Contact: | |||||||
Severity: | major | ||||||||
Priority: | P3 | CC: | carlos.morais, cgold, ec, kleind, stephen.francisco | ||||||
Version: | 4.1 | Keywords: | security | ||||||
Target Milestone: | 3.7 M4 | ||||||||
Hardware: | PC | ||||||||
OS: | other | ||||||||
Whiteboard: | |||||||||
Bug Depends on: | |||||||||
Bug Blocks: | 330026 | ||||||||
Attachments: |
|
Description
YGN Ethical Hacker Group
2010-11-05 15:35:56 EDT
Created attachment 182653 [details] Patch There are two problems uncovered by this bug. This patch fixes the major problem, which is the XSS vulnerability. The other less serious issue is described in Bug 329699 - [Webapp] Opening /help/advanced/content.jsp causes unresponsive script. Patch applied to HEAD, Fixed Resolving as Fixed Created attachment 189137 [details]
Patch for 3.5 maintenance stream
I have applied this patch to the 3.5 maintenance stream.
Requesting that a patch be provided for 3.4.2 as this is the version our products are currently using. Our next release will be on the 3.6.x level. Will the 3.5 stream patch work for 3.6.2? Also, we have releases still under service that use 3.4 as well as 3.2.2. Hopefully a patch for 3.4.2 would essentially be the same for 3.4. I realize 3.2.2 is another story. I've applied to the 3.4 maintenance stream the same patch as was applied to the 3.5 maintenance stream Removing security restriction for bugs that have been fixed in 3.6.2 or earlier. |