Community
Participate
Working Groups
Build Identifier: 3.6 RC 4 In the FramesetFilter.java servlet, there are places where invalid urls can be passed to server. This issue allows cross site scripting to occur under the credentials of the application and not the user. line 68 script.append(req.getPathInfo()); Example of exploit: http://127.0.0.1:1084/help/topic/"+alert(document.cookie)+".html The suggested fix is to url encode the url before appending it. See Patch Reproducible: Always Steps to Reproduce: This can be reproduced on machines running Firefox (any version) and Internet Explorer 6 & 7 (IE 8 s
Created attachment 172044 [details] FramesetFilter Patch with suggested urlencode Here is a suggested patch based on the recommended remediation approach for this kind of exploit.
> Steps to Reproduce: > This can be reproduced on machines running Firefox (any version) and Internet > Explorer 6 & 7 (IE 8 s IE 8 Specifically blocks client side javascript in the urls.
Patch applied to HEAD.
Patch applied to 3.6 maintenance stream, fixed for Eclipse 3.6.1
The patch has also been applied to the 3.5 maintenance stream.
The patch has also been applied to the 3.4 maintenance stream.
Verified in M20100901-0800
This bug is currently marked as a private bug for security purposes. Since the bug is fixed, should it not be open?
At the architectural council meeting last week I raised the issue of removing the security lock from bug reports which have been fixed - the conclusion was that we should keep these locked.
Removing security restriction for bugs that have been fixed in 3.6.2 or earlier.
