Community
Participate
Working Groups
Created attachment 237457 [details] Screen Shot of XSS The dev.eclipse.org/portal/myfoundation/tests/explore.php file is vulnerable to reflected Cross-site-scripting attacks that would allow a malicious user to steal authentication cookies with user interaction. Proof of Concept URL: https://dev.eclipse.org/portal/myfoundation/tests/explore.php?component=anonymous_forms/anonymous_forms&class=%22%3Cimg%20src=x%20onerror=alert%28document.cookie%29%20%3E
Tested and working in FireFox 20.0 Not working in Chrome/IE
Matt, Wayne, since the Portal is deprecated, can we just remove or otherwise block this file? If altering the code and rebuilding the Portal is too much of a hassle, I'm open to adding an Apache rewrite to send a 403 Forbidden for that URI.
I'll investigate
I decided that the cost of fixing the problem outweighed the benefit of maintaining the page. I've replaced the dynamic content with a static message.