424827 – Potential XSS vulnerability on /downloads page.

Bug 424827 - Potential XSS vulnerability on /downloads page.

Summary: Potential XSS vulnerability on /downloads page.

Status:	RESOLVED FIXED

Alias:	None

Product:	Community
Classification:	Eclipse Foundation
Component:	Website (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Christopher Guindon
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2014-01-02 19:15 EST by Wayne Beaton
Modified:	2015-04-13 11:17 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
XSS in action (147.57 KB, image/jpeg) 2014-01-02 19:15 EST, Wayne Beaton	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wayne Beaton

2014-01-02 19:15:43 EST

Created attachment 238638 [details]
XSS in action

From the security inbox:

--
I Found Vulnerability Flaw (Xss) In  "www.eclipse.org" exactly in "www.eclipse.org/downloads/"
--

With a picture attachment.

Based on the picture, it appears that the vulnerability manifests in the package filter.

Comment 1 Christopher Guindon

2014-01-03 00:20:18 EST

Thanks Wayne for opening this bug.

I was able to reproduce this with: <img src=x onerror=prompt(0)> 

We are using https://github.com/luis-almeida/filtrify for the package filter. I will need to open an issue on github once we have a fix.

I think this is only exploitable if the user type this himself in the text field.

Comment 2 Christopher Guindon

2014-01-03 01:13:16 EST

I created this issue: https://github.com/luis-almeida/filtrify/issues/46

Comment 3 Wayne Beaton

2014-01-03 12:46:57 EST

(In reply to Christopher Guindon from comment #1)
> I think this is only exploitable if the user type this himself in the text
> field.

Agreed. I think that this one is low-risk.

Comment 4 Wayne Beaton

2014-01-03 12:47:56 EST

In follow up correspondence, the reporter asked to be named.

Abderrazak Y3S discovered and reported this vulnerability.

Comment 5 David Williams

2015-04-07 08:54:16 EDT

(In reply to Wayne Beaton from comment #3)
> (In reply to Christopher Guindon from comment #1)
> > I think this is only exploitable if the user type this himself in the text
> > field.
> 
> Agreed. I think that this one is low-risk.

Not to contradict you, but those looking for such exploits have no trouble typing into the field themselves ... or, using a "robo dialer" to do such typing. That's part of the point ... we need to cover the "unexpected" cases. 

I'm not saying that makes it high risk ... but, just as risky as any other XSS exploit.

Comment 6 Christopher Guindon

2015-04-13 11:17:23 EDT

(In reply to David Williams from comment #5)
> (In reply to Wayne Beaton from comment #3)
> > (In reply to Christopher Guindon from comment #1)
> > > I think this is only exploitable if the user type this himself in the text
> > > field.
> > 
> > Agreed. I think that this one is low-risk.
> 
> Not to contradict you, but those looking for such exploits have no trouble
> typing into the field themselves ... or, using a "robo dialer" to do such
> typing. That's part of the point ... we need to cover the "unexpected"
> cases. 
> 
> I'm not saying that makes it high risk ... but, just as risky as any other
> XSS exploit.

I created a pull request to fix this.
https://github.com/luis-almeida/filtrify/pull/65

I added my commit to our downloads page.

This should be fixed now.