Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 223363

Summary: [Webapp][Security] Cross site scripting vulnerabilities in confirm.jsp and deferredView.jsp
Product: [Eclipse Project] Platform Reporter: Bill Pugh <pugh>
Component: User AssistanceAssignee: platform-ua-inbox <platform-ua-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P2 CC: benysh, bokowski, cgold, jzhenbo, kleind, maguirem, zhouyiy
Version: 3.4   
Target Milestone: 3.4 M7   
Hardware: PC   
OS: Mac OS X - Carbon (unsup.)   
Whiteboard:
Attachments:
Description Flags
Patch none

Description Bill Pugh CLA 2008-03-20 11:24:05 EDT
Build ID: M20080221-1800

Steps To Reproduce:
1. Send requests to confirm.jsp or deferredView.jsp that contain malicious javascript code. 



More information:
The confirm.jsp page directly embeds the http parameters confirmCallback, dontaskagainCallback and initialFocus into the response. 
deferredView.jsp directly embeds the http parameter href into the response.
This creates a cross site scripting vulnerability. See http://www.owasp.org/index.php/Cross_Site_Scripting for more details.
You have to evaluate with you care about cross site scripting vulnerabilities in the output of the web pages; but since FindBugs now reports these vulnerabilities, I felt I should give you fair warning.

The fix is to also accept parameters that match a pattern that describes the expected values for those parameters.
Comment 1 Chris Goldthorpe CLA 2008-03-24 15:05:42 EDT
Created attachment 93307 [details]
Patch

I agree that request parameters need to be handled carefully. I can't see any way to exploit either of these two files in their current form but this seems to be more by accident than by design. I have reviewed all of the calls to getParameter() in the jsp files and cleaned up the code in a few places to prevent any possibility of arbitary strings being inserted into the jsps via rogue parameters.
Comment 2 Chris Goldthorpe CLA 2008-03-24 15:07:54 EDT
Fixed in HEAD. Thanks for alerting us to this.
Comment 3 Chris Goldthorpe CLA 2008-03-28 13:43:33 EDT
I had to back out part of the fix because UrlUtil.JavaScriptEncode was over escaping the characters. This was not a problem on Firefox but on IE it caused a script error in the show all topics confirm dialog which prevented the OK and cancel buttons from working.
Comment 4 Chris Goldthorpe CLA 2008-03-31 17:07:51 EDT
I have fixed this by recoding confirmShowAll.jsp to include confirm.jsp and remove the unused jsp file askShowAll.jsp so that parameters do not need to be passed around.
Comment 5 Yi Yan Zhou CLA 2008-09-18 04:45:39 EDT
Hi Chris, can you paste the patch again? I'm preparing a fix for 3.0.1 and need your help. Thanks.
Comment 6 Chris Goldthorpe CLA 2008-10-06 16:07:15 EDT
It's been a while since I looked at this but based on the comments it looks as though I submitted a patch  but then had to make an additional change due to a problem with that patch. Creating an updated patch is not so easy at this stage - here is what I think you need to do to fix 3.0.1.

Apply the fix to deferredView.jsp contained in the patch.
Copy confirmShowAll.jsp to your 3.0.1 workspace.
Delete confirm.jsp from your workspace.
Check that the show all command still works correctly.