Eclipse IDE Cross Site Scripting

`=========================================================  
Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability  
=========================================================  
  
  
1. OVERVIEW  
  
The Help Content web application of Eclipse IDE was vulnerable to  
Cross Site Scripting (XSS) Vulnerability.  
  
  
2. PRODUCT DESCRIPTION  
  
Eclipse is a multi-language software development environment  
comprising an integrated development environment (IDE) and an  
extensible plug-in system. It is written mostly in Java and can be  
used to develop applications in Java and, by means of various  
plug-ins, other programming languages including Ada, C, C++, COBOL,  
Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala,  
and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT  
for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP.  
  
  
3. VULNERABILITY DESCRIPTION  
  
Eclipse Help Contents are served as a web application via the built-in  
Jetty Web Server plugin. Cross Site Scripting vulnerabilities were  
found in /help/index.jsp and /help/advanced/content.jsp URLs. XSS on  
/help/advanced/content.jsp url makes the browser hang  
but even after clicking "Stop Executing" button, users can still get XSS.  
  
  
4. VERSIONS AFFECTED  
  
Eclipse IDE Version: 3.6.1 <=  
  
Tested Editions(SDK, Java, J2EE)  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)  
http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)  
  
  
6. IMPACT  
  
In a situation where users' browser security settings are weak, the  
localized XSS vector could enable attackers to perform a number of  
black acts including cross site content access, smb shares  
enumeration, remote code execution, malicious trojan downloading and  
execution ...etc.  
  
  
7. SOLUTION  
  
Apply the recent error-free nightly builds (ie.  
http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php)  
.  
According to the developer, "Chris Goldthorpe", the fix is in the  
nightly build, http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php  
, it will also be in 3.6.2 (February 2011) and 3.7 (June 2011).  
  
  
8. VENDOR  
  
Eclipse Developers Team  
http://www.eclipse.org/  
  
  
9. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
10. DISCLOSURE TIME-LINE  
  
2010-11-04 : vulnerability discovered  
2010-11-05 : notified vendor  
2010-11-08 : patch released and applied to svn  
2010-11-16 : vulnerability disclosed  
  
  
11. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting  
Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582  
Previous XSS Flaws:  
http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html  
(searchView.jsp, workingSetManager.jsp)  
Cross Environment Hopping:  
http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html  
About Eclipse IDE:  
https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29  
  
#yehg [2010-11-16]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
`