Community
Participate
Working Groups
Created attachment 237498 [details] HTTP Authentication Hi, I have detected several vulnerabilities at http://www.eclipse.org/ this evening, which I would recommend that you try to address. 1. Reflected XSS. I have detected this vulnerability for the following URL: http://www.eclipse.org/home/categories/ This vulnerability has been detected for GET-parameter category, where a malicious attacker can manipulate with the content because of inappropriate server side input validation. The following example is harmless, but illustrates the example by using a small alert on the page: http://www.eclipse.org/home/categories/?category=5c153%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&tab=start You should fix this vulnerability by ensuring that all user input is validated across the web application. 2. Clear Text authentication It has been detected that the application is using clear text authentication, where sensitive passwords are transmitted in clear text. This issue has been identified for your forum at: http://www.eclipse.org/forums/index.php/i/1/index.php. I have attached a screenshot that shows this issue on the application. 3. Password field with autocomplete enabled. Password field has the autocomplete feature enabled on the forum at http://www.eclipse.org/forums/index.php/i/1/index.php. This means that password will be autocompleted, when users are authenticating, because the passwords are stored in the browser. Best practice is to disable this feature on the application.
*** Bug 421894 has been marked as a duplicate of this bug. ***
Thank you for the report. > 1. Reflected XSS. This has been fixed. > 2. Clear Text authentication > It has been detected that the application is using clear text > authentication, where sensitive passwords are transmitted in clear text. > This issue has been identified for your forum at: > http://www.eclipse.org/forums/index.php/i/1/index.php. > I have attached a screenshot that shows this issue on the application. I cannot get a form from that page. We don't use the forum's built-in authentication, so I'm not overly concerned.
We're done here. Thanks again.