329056 – Eclipse Help Source Code Disclosure in Jetty

Bug 329056 - Eclipse Help Source Code Disclosure in Jetty

Summary: Eclipse Help Source Code Disclosure in Jetty

Status:	CLOSED DUPLICATE of bug 328795

Alias:	None

Product:	Platform
Classification:	Eclipse Project
Component:	User Assistance (show other bugs)
Version:	3.6.1
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	platform-ua-inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-10-29 11:23 EDT by YGN Ethical Hacker Group
Modified:	2012-01-13 12:30 EST (History)
CC List:	4 users (show)

See Also:

Attachments
PoC screenshot (65.07 KB, image/jpeg) 2010-10-29 11:25 EDT, YGN Ethical Hacker Group	no flags	Details
Poc Screenshot (73.57 KB, image/jpeg) 2010-10-29 11:26 EDT, YGN Ethical Hacker Group	no flags	Details
Poc Screenshot (63.94 KB, image/jpeg) 2010-10-29 11:27 EDT, YGN Ethical Hacker Group	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description YGN Ethical Hacker Group

2010-10-29 11:23:49 EDT

Build Identifier: 20100917-0705

Apology in advance if I wasted your time, guys. The reason to report bug is that I couldn't figure it out because of cross-application issues with Jetty server. It's also been reported to Jetty Project Lead who said the problem might be because of an eclipse framework used to serve the static content and is unrelated to any jetty problems.

I'd like to know whether this flaw is due to Jetty or Eclipse so that we, developers, can avoid such problems in our own applications.





Reproducible: Always

Steps to Reproduce:
1. Open Eclipse's help content from the Eclipse GUI
2. Note its HTTP server port
3. Request the following URLs
   (If the HTTP port is 2490)
  http://localhost:2490/help/advanced/tocView.jsp\
  http://localhost:2490/help/advanced/search.jsp%5C

4. You will see the full source code.

Comment 1 YGN Ethical Hacker Group

2010-10-29 11:25:56 EDT

Created attachment 182054 [details]
PoC screenshot

Comment 2 YGN Ethical Hacker Group

2010-10-29 11:26:57 EDT

Created attachment 182055 [details]
Poc Screenshot

Comment 3 YGN Ethical Hacker Group

2010-10-29 11:27:45 EDT

Created attachment 182056 [details]
Poc Screenshot

Comment 4 Chris Goldthorpe

2010-10-29 12:33:23 EDT

Thanks for filing this. The same problem was recently reported in Bug 328795 so I am closing as a duplicate.

*** This bug has been marked as a duplicate of bug 328795 ***

Comment 5 Wayne Beaton

2012-01-13 12:03:18 EST

Does this bug need to be restricted to committers only?

Comment 6 Chris Goldthorpe

2012-01-13 12:30:18 EST

Bug 328795 is not restricted so this one should not be either.