Community
Participate
Working Groups
+++ This bug was initially created as a clone of Bug #329582 +++ Build Identifier: 20100917-0705 The /help/index.jsp URL is vulnerable to Cross Site See the sample exploit. http://yehg.net/lab/pr0js/advisories/eclipse/helios/help_server_xss/eclipse_ie_xss_demo.htm Reproducible: Always Steps to Reproduce: 1. Open "Help Contents" under Help menu of Eclipse 2. Note its random port number by seeing status bar of Help Window 3. Request the follow URL with Internet Explorer http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0) Replace [REPLACE] with your own port number.
Created attachment 182922 [details] Patch
Vivian, can you review this patch?
Still can see the problem with url --> http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)
That's strange - which browser were you using when you tested? I just tested using IE ( 8.0 ) and the problem reproduced without the patch, then when I added the patch and restarted an infocenter the problem was no longer there. With Firefox 3.6 I did not see a pop up dialog with or without the patch. Did you clear the cache in your browser?
I'm now able to see that there is still a problem. Under certain circumstances - opening the URL from another help page is one I see a warning in IE8 which says that the page has been modified to prevent an XSS vulnerability. I do not always see the warning but this tells me that there is still a problem. The review process is working as intended - I will investigate further. What browser did you use and what were the exact symptoms you saw?
It really fix XSS vulnerability. But it still causes unresponsive script. Both in FF and IE.
IE 8+ will always give you an XSS warning for suspicious urls even if the web application is not vulnerable.
Created attachment 183492 [details] Patch version 2 including fix for endless loop in script in toolbar.jsp
I have added a fix for the unresponsive script. Please review my new patch.
Chris, here is some enhancement: With this fix, unresponsive script has been fixed when visiting http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0) But when user click maxmize button, unresponsive script will occur, so I think same logic should also be modified in method toggleFrame() in toolbar.jsp.
Created attachment 183586 [details] 183492: Patch version 3 including fix for two endless loops in script in toolbar.jsp This fixes the endless loop when the maximize button is pressed. Opening content.jsp on it's own outside a frame is not a recommended way of using the help system but it's still a good idea to remove the possibility of an endless loop. Once these fixes are approved I will port the changes to toolbar.jsp back to HEAD.
Latest patch looks good. Verified.
Thanks, Vivian
Patch applied to 3.6 maintenance stream, FIXED.
Removing security restriction for bugs that have been fixed in 3.6.2 or earlier.
