Community
Participate
Working Groups
Build Identifier: 20100917-0705 The /help/index.jsp and /help/advanced/content.jsp URLs are vulnerable to Cross Site Scripting. XSS with /help/advanced/content.jsp url makes the browser hang but even after clicking "Stop Executing" button, users can still get XSS. See the sample exploit. http://yehg.net/lab/pr0js/advisories/eclipse/helios/help_server_xss/eclipse_ie_xss_demo.htm . Reproducible: Always Steps to Reproduce: 1. Open "Help Contents" under Help menu of Eclipse 2. Note its random port number by seeing status bar of Help Window 3. Request the follow urls with Internet Explorer http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0) http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0) Replace [REPLACE] with your own port number.
Created attachment 182653 [details] Patch There are two problems uncovered by this bug. This patch fixes the major problem, which is the XSS vulnerability. The other less serious issue is described in Bug 329699 - [Webapp] Opening /help/advanced/content.jsp causes unresponsive script.
Patch applied to HEAD, Fixed
Resolving as Fixed
Created attachment 189137 [details] Patch for 3.5 maintenance stream I have applied this patch to the 3.5 maintenance stream.
Requesting that a patch be provided for 3.4.2 as this is the version our products are currently using. Our next release will be on the 3.6.x level. Will the 3.5 stream patch work for 3.6.2? Also, we have releases still under service that use 3.4 as well as 3.2.2. Hopefully a patch for 3.4.2 would essentially be the same for 3.4. I realize 3.2.2 is another story.
I've applied to the 3.4 maintenance stream the same patch as was applied to the 3.5 maintenance stream
Removing security restriction for bugs that have been fixed in 3.6.2 or earlier.