421875 – Vulnerabilities on http://www.eclipse.org/‏

Bug 421875 - Vulnerabilities on http://www.eclipse.org/‏

Summary: Vulnerabilities on http://www.eclipse.org/‏

Status:	RESOLVED FIXED

Alias:	None

Product:	Community
Classification:	Eclipse Foundation
Component:	Website (show other bugs)
Version:	unspecified
Hardware:	PC Windows 8

Importance:	P3 major (vote)
Target Milestone:	---
Assignee:	phoenix.ui
QA Contact:

URL:
Whiteboard:
Keywords:	security

Duplicates (1):	421894 (view as bug list)
Depends on:
Blocks:

Reported:	2013-11-15 16:20 EST by Michael Vedel
Modified:	2013-11-21 13:36 EST (History)
CC List:	3 users (show)

See Also:

Attachments
HTTP Authentication (27.94 KB, image/png) 2013-11-15 16:20 EST, Michael Vedel	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Vedel

2013-11-15 16:20:22 EST

Created attachment 237498 [details]
HTTP Authentication

Hi,

I have detected several vulnerabilities at http://www.eclipse.org/ this evening, which I would recommend that you try to address.

1. Reflected XSS. 

I have detected this vulnerability for the following URL:
http://www.eclipse.org/home/categories/
This  vulnerability has been detected for GET-parameter category, where a malicious attacker can manipulate with the content because of inappropriate server side input validation.
The following example is harmless, but illustrates the example by using a small alert on the page: http://www.eclipse.org/home/categories/?category=5c153%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&tab=start 
You should fix this vulnerability by ensuring that all user input is validated across the web application. 

2. Clear Text authentication
It has been detected that the application is using clear text authentication, where sensitive passwords are transmitted in clear text.
This issue has been identified for your forum at: http://www.eclipse.org/forums/index.php/i/1/index.php.
I have attached a screenshot that shows this issue on the application.

3. Password field with autocomplete enabled.
Password field has the autocomplete feature enabled on the forum at http://www.eclipse.org/forums/index.php/i/1/index.php. 
This means that password will be autocompleted, when users are authenticating, because the passwords are stored in the browser. Best practice is to disable this feature on the application.

Comment 1 Denis Roy

2013-11-18 09:22:19 EST

*** Bug 421894 has been marked as a duplicate of this bug. ***

Comment 2 Denis Roy

2013-11-21 11:29:50 EST

Thank you for the report.

 
> 1. Reflected XSS. 
This has been fixed.



> 2. Clear Text authentication
> It has been detected that the application is using clear text
> authentication, where sensitive passwords are transmitted in clear text.
> This issue has been identified for your forum at:
> http://www.eclipse.org/forums/index.php/i/1/index.php.
> I have attached a screenshot that shows this issue on the application.

I cannot get a form from that page.  We don't use the forum's built-in authentication, so I'm not overly concerned.

Comment 3 Denis Roy

2013-11-21 13:36:40 EST

We're done here.  Thanks again.