========================================================= Eclipse IDE | Help Server Local Cross Site Scripting (XSS) Vulnerability ========================================================= 1. OVERVIEW The Help Content web application of Eclipse IDE was vulnerable to Cross Site Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION Eclipse is a multi-language software development environment comprising an integrated development environment (IDE) and an extensible plug-in system. It is written mostly in Java and can be used to develop applications in Java and, by means of various plug-ins, other programming languages including Ada, C, C++, COBOL, Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala, and Scheme. The IDE is often called Eclipse ADT for Ada, Eclipse CDT for C/C++, Eclipse JDT for Java, and Eclipse PDT for PHP. 3. VULNERABILITY DESCRIPTION Eclipse Help Contents are served as a web application via the built-in Jetty Web Server plugin. Cross Site Scripting vulnerabilities were found in /help/index.jsp and /help/advanced/content.jsp URLs. XSS on /help/advanced/content.jsp url makes the browser hang but even after clicking "Stop Executing" button, users can still get XSS. 4. VERSIONS AFFECTED Eclipse IDE Version: 3.6.1 <= Tested Editions(SDK, Java, J2EE) 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0) http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0) 6. IMPACT In a situation where users' browser security settings are weak, the localized XSS vector could enable attackers to perform a number of black acts including cross site content access, smb shares enumeration, remote code execution, malicious trojan downloading and execution ...etc. 7. SOLUTION Apply the recent error-free nightly builds (ie. http://download.eclipse.org/eclipse/downloads/drops/N20101110-2000/index.php) . According to the developer, "Chris Goldthorpe", the fix is in the nightly build, http://download.eclipse.org/eclipse/downloads/drops/N20101108-2000/index.php , it will also be in 3.6.2 (February 2011) and 3.7 (June 2011). 8. VENDOR Eclipse Developers Team http://www.eclipse.org/ 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2010-11-04 : vulnerability discovered 2010-11-05 : notified vendor 2010-11-08 : patch released and applied to svn 2010-11-16 : vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/eclipse/[eclipse_help_server]_cross_site_scripting Eclipse Bug Tracker: https://bugs.eclipse.org/bugs/show_bug.cgi?id=329582 Previous XSS Flaws: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html (searchView.jsp, workingSetManager.jsp) Cross Environment Hopping: http://blog.watchfire.com/wfblog/2008/06/cross-environ-1.html About Eclipse IDE: https://secure.wikimedia.org/wikipedia/en/wiki/Eclipse_%28software%29 #yehg [2010-11-16] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd