IBM Eclipse Help System (IEHS) Cross-Site Scripting Vulnerability

[+] Author: Filippo Roncari
[+] Target: IBM Eclipse Help System (IEHS) 
[+] Version: 6.1.0 => 6.1.0.6, 6.1.5 => 6.1.5.3, 7.0 => 7.0.0.2, 8.0 < 8.0.0.1
[+] Vendor: http://www.ibm.com
[+] Accessibility: Remote
[+] Severity: Medium
[+] CVE: CVE-2014-0917
[+] Advisory URL: https://www.securenetwork.it/docs/advisory/SN-14-03-IBM.pdf
[+] Contacts: f.roncari@securenetwork.it 


[+] Summary
IBM Eclipse Help System (IEHS) is a customizable help system included in many IBM software products such as the IBM WebSphere Portal. It is based on an XML table of contents referencing HTML files, allowing building easy-to-use and searchable help documentation. Further information are available on the IBM website.


[+] Vulnerability Details
IBM Eclipse Help System is prone to a Cross-Site Scripting (XSS) vulnerability due to an improper validation of user-supplied input, which permits to inject arbitrary client-side JavaScript code. A potential attacker could exploit this issue by persuading a victim to click on a specially-crafted URL or to visit a malicious domain. This vulnerability can lead to cookie stealing and account violation.


[+] Technical Details
See full advisory at https://www.securenetwork.it/docs/advisory/SN-14-03-IBM.pdf for technical details and source code.


[+] Proof of Concept (PoC) 

  [!] PoC URL
  -------------------------
  http://application-path/iehs/topic/%22);alert(document.cookie);(%22.html
  -------------------------

For technical details and explanations check the full advisory.  


[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.