Bug 570090 - OBB-1677065 - XSS vuln for eclipse.org
Summary: OBB-1677065 - XSS vuln for eclipse.org
Status: RESOLVED FIXED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Martin Lowe CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-01-05 09:04 EST by Christopher Guindon CLA
Modified: 2021-01-25 13:56 EST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Guindon CLA 2021-01-05 09:04:56 EST 
Reported by Md. Nur A Alam Dipu:

This is a cross scripting vulnerability at : eclipse.org in ?key= endpoint.

Endpoints: "?key="

XSS url :
https://www.eclipse.org/technology/pmc-minutes.php?key=%22%3E%3C/script%3E%3Csvg/onload=alert(2)%3E

Payload : "></script><svg/onload=alert(document.domain)>

Steps to reproduce:

1 : Add XSS payload at the endpoint
https://www.eclipse.org/technology/pmc-minutes.php?key=%22%3E%3C/script%3E%3Csvg/onload=alert(2)%3E

2 : Click enter or open in browser
3 : While entering the payload or open in the browser, XSS will trigger out.

Impact :
With XSS  vulnerability attackers can steal victim browser sessions,cookies,ip, keylogging and more other information.

Fix:
 Sanitize the input value and make forbidden all special characters properly like ",'<>,/.
Comment 1 Christopher Guindon CLA 2021-01-05 09:06:44 EST 
We shouldn't be printing $_GET variables without encoding the content first:
https://git.eclipse.org/c/www.eclipse.org/technology.git/tree/pmc-minutes.php#n22


More information:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Comment 2 Eclipse Genie CLA 2021-01-05 09:19:41 EST 
New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/technology/+/174281
Comment 4 Wayne Beaton CLA 2021-01-05 10:11:17 EST 
FWIW, this is very old functionality that I'm thinking that I'll just delete.
Comment 5 Christopher Guindon CLA 2021-01-05 10:39:10 EST 
I did notice that Wayne did approve the patch however, not all the changes that I initially requested were done.

1. Please replace isset() with !empty(). An empty string is not useful here.
2. We try to avoid short_open_tags with PHP. Please re-write: 
<?= $App->checkPlain($_GET['key']) ?> 

with:

<?php print $App->checkPlain($_GET['key']); ?>

We don't need to change all instances but I would expect us to drop the short form if we update a line of code that's using it.

More information about short_open_tags:
https://softwareengineering.stackexchange.com/a/151694
Comment 6 Eclipse Genie CLA 2021-01-06 10:23:40 EST 
New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/technology/+/174340
Comment 7 Eclipse Genie CLA 2021-01-06 10:23:42 EST 
New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/technology/+/174341
Comment 9 Christopher Guindon CLA 2021-01-06 13:13:57 EST 
(In reply to Eclipse Genie from comment #8)
> Gerrit change
> https://git.eclipse.org/r/c/www.eclipse.org/technology/+/174341 was merged
> to [master].
> Commit:
> http://git.eclipse.org/c/www.eclipse.org/technology.git/commit/
> ?id=95d283127eae3b5b7741e0dbe0c75926ab639fb0

I think we are done here!

Thanks Martin and  Md. Nur A Alam Dipu.