Bug 427830 - XSS vulnerability on www.eclipse.org
Summary: XSS vulnerability on www.eclipse.org
Status: RESOLVED FIXED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Website (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: phoenix.ui CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2014-02-10 13:05 EST by Wayne Beaton CLA
Modified: 2014-02-12 15:39 EST (History)
2 users (show)

See Also:

Attachments
Vulnerability in action (264.87 KB, image/png)
2014-02-10 13:05 EST, Wayne Beaton CLA 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wayne Beaton CLA 2014-02-10 13:05:20 EST 
Created attachment 239793 [details]
Vulnerability in action

From the security inbox:

--
I found XSS vulnerable on your website at https://dev.eclipse.org/site_login/?takemeback=http://www.eclipse.org/forums/index.php?t=login
please download my screenshot.

step 1: go to http://www.eclipse.org/ then you can see the forum at http://www.eclipse.org/forums/

step 2: and go to log in you can see the email text box.

step 3: insert this code: "><img src=x onerror=prompt(1);>"<br><h1>You have been HACKED! </h1>"
then click login button. and wait a seconds.

Finally Done! you can see stored XSS vulnerable
--
Comment 1 Denis Roy CLA 2014-02-11 11:57:12 EST 
https://git.eclipse.org/r/#/c/21818/

That was a regression from a past bug.  If the email address wasn't a valid email address, we throw an error but displayed the invalid content without any untainting.

An even more secure approach would be to clear the value altogether,
Comment 3 jayson zabate CLA 2014-02-12 14:42:06 EST 
Do you have rewards for that report. ^_^
Comment 4 Denis Roy CLA 2014-02-12 15:39:08 EST 
Unfortunately, we don't provide rewards.  We do recognize and appreciate your efforts via this Bug  :)