Bug 421700 - Reflected XSS - https://dev.eclipse.org/portal/myfoundation/tests/explore.php
Summary: Reflected XSS - https://dev.eclipse.org/portal/myfoundation/tests/explore.php
Status: RESOLVED FIXED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Project Management & Portal (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 major (vote)
Target Milestone: ---   Edit
Assignee: Portal Bugzilla Dummy Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2013-11-14 00:39 EST by Jamieson O\'Reilly CLA
Modified: 2013-11-14 12:38 EST (History)
4 users (show)

See Also:

Attachments
Screen Shot of XSS (382.41 KB, image/png)
2013-11-14 00:39 EST, Jamieson O\'Reilly CLA 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jamieson O\'Reilly CLA 2013-11-14 00:39:19 EST 
Created attachment 237457 [details]
Screen Shot of XSS

The dev.eclipse.org/portal/myfoundation/tests/explore.php file is vulnerable to reflected Cross-site-scripting attacks that would allow a malicious user to steal authentication cookies with user interaction.

Proof of Concept URL: 

https://dev.eclipse.org/portal/myfoundation/tests/explore.php?component=anonymous_forms/anonymous_forms&class=%22%3Cimg%20src=x%20onerror=alert%28document.cookie%29%20%3E
Comment 1 Jamieson O\'Reilly CLA 2013-11-14 00:43:57 EST 
Tested and working in FireFox 20.0 

Not working in Chrome/IE
Comment 2 Denis Roy CLA 2013-11-14 09:03:53 EST 
Matt, Wayne, since the Portal is deprecated, can we just remove or otherwise block this file?

If altering the code and rebuilding the Portal is too much of a hassle, I'm open to adding an Apache rewrite to send a 403 Forbidden for that URI.
Comment 3 Wayne Beaton CLA 2013-11-14 11:27:50 EST 
I'll investigate
Comment 4 Wayne Beaton CLA 2013-11-14 12:38:23 EST 
I decided that the cost of fixing the problem outweighed the benefit of maintaining the page. I've replaced the dynamic content with a static message.