Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 233466

Summary: [Webapp][Security] Site redirection vulnerability in Eclipse Help System
Product: [Eclipse Project] Platform Reporter: Darel Benysh <benysh>
Component: User AssistanceAssignee: Chris Goldthorpe <cgold>
Status: VERIFIED FIXED QA Contact:
Severity: major    
Priority: P2 CC: agarcher, cgold, curtispd, dejan, denis.roy, kleind, maguirem, Mike_Wilson, zhouyiy
Version: 3.4Flags: dejan: review+
curtispd: review+
agarcher: review+
Target Milestone: 3.4 RC3   
Hardware: All   
OS: All   
See Also: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546430
Whiteboard:
Attachments:
Description Flags
Patch
none
Patch version 2 none

Description Darel Benysh CLA 2008-05-22 10:42:35 EDT 
Build ID: 3.4 m6

Steps To Reproduce:
1. Within an Eclipse Help system running in infocenter mode, use the ?topic= parameter on the URL to specify a fully specified URL to another site.
e.g. 
http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/index.jsp?topic=http://www.google.com
2.
3.


More information:
The topic parameter on the URL is vulnerable to exploitation and *is* being used to deliver spam and potentially more harmful code while making it appear that the information center being hosted is the source of the material.

Instances of this exploitation have been found out in the 'wild'.

It will pull in content from whatever URL you add on the end there and embeds it into content pane in the infocenter.
This can be used to deliver malware and spyware to unsuspecting victims,  making them think they are clicking on a legitimate link within that infocenter.

Suggested fix would be to not allow URLs outside the current domain within the topic param.  Additionally, to allow more flexibility, make that level of security a configurable startup option to the help system.

Final note, this bug has been found in EHS 3.1, 3.2, and 3.4m6
Comment 1 Chris Goldthorpe CLA 2008-05-27 15:43:38 EDT 
Raising the priority to P2 and severity to major. 

Since this vulnerability has already been exploited it needs to be fixed. The problem affects infocenters - I think that the infocenter case is the only one that needs to be fixed but that is something that we can discuss here.

For infocenters the only real solution is to not allow the raw topic parameter to be the URL for the content pane. Instead we should either call a function to filter out any urls which represent URLs outside of the help system and replace them with the URL of an error page or ignore the topic parameter completely in an infocenter - as far as I can tell there is no reason to use a URL with a topic parameter to access an infocenter.

The topic parameter does have legitmate uses when the help system is called from Eclipse, for example when help is opened from Welcome, from a cheatsheet or from an infopop. I don't think any restrictions should be placed on use of the topic parameter when calling the help system from Eclipse because there are legitimate ways to use external URLs and because the vulnerability is a serious problem only for the infocenter.

Dejan, Curtis what are your thoughts on this bug, particularly any risks involved? We are in RC3 now but this bug is serious enough that it may warrant inclusion.
Comment 2 Dejan Glozic CLA 2008-05-27 16:04:04 EDT 
We should be careful to provide the fix in a way that does not break the existing infocenters. If they link to a page using a full URL it should continue to work as today. We should probably fix this using some kind of configuration parameter/preference for the infocenter that is placed in the plugin_configuraition.ini. The configuration parameter would offer several degrees of strictness (no external links whatsoever, same domain only, 'friendly domains' list etc.)
Comment 3 Darel Benysh CLA 2008-05-27 16:16:53 EDT 
I agree, I don't think we should disable the topic parameter for infocenters.  It is fairly common practice to use the topic param to target into a specific page in
an infocenter. 

I think infocenter solutions would either disallow full URLs within the topic
paramter (http://....) or disallow URLs away from the host the infocenter is
running on.

Providing a configuration option to control the strictness would be a nice additional level to control the functionality.  But it wouldn't be required to fix the hole.  If there is a configuration option, the default should be fairly strict though.
Comment 4 Curtis d'Entremont CLA 2008-05-27 17:35:46 EDT 
Seems like a reasonable precaution. Two things that will need to be tested are links to external pages in the toc or index (this is valid) and remote help. I don't think either of these uses this topic parameter but.. just in case.
Comment 5 Chris Goldthorpe CLA 2008-05-27 18:37:06 EDT 
Good comments, here's my latest thoughts on this.

I agree we need a preference to control whether the infocenter allows the topic parameter to be an external URL, the default should be to filter out the external URLs. A possible name for this preference is org.eclipse.help.base.restrictTopicParam.

If the topic URL is external and we are running in restricted mode we can display the home page in it's place. An alternative would be to create a new error page to handle this situation but I don't think that is necessary.

Eclipse and Standalone help should allow any value for the topic parameter - I don't think a preference is needed. 

The simplest implementation would be to disallow any URL starting with http: or https: when in restricted mode. This would also disallow URLs which happened to be on the same server as the help system but I don't see that as a situation that is going to arise in normal usage.
Comment 6 Chris Goldthorpe CLA 2008-05-28 12:08:34 EDT 
Created attachment 102421 [details]
Patch

Here is a patch which adds a preference org.eclipse.help.base.restrictTopicParameter. If true the infocenter will show the home page if a topic parameter starting with http: or https: is passed in.

The one aspect of this patch which needs to be considered carefully is whether this the right test to be performing, will it be sufficiently restrictive to filter out any abusive URLs and conversely is it overly restrictive in a way that would impact legitimate uses in which case I will revise the patch.

I have no doubt that we need to fix this problem, I just want to make sure that I get the details right.
Comment 7 Curtis d'Entremont CLA 2008-05-28 12:29:06 EDT 
I would make it a case-insensitive check, just in case (my browser accepts uppercase HTTP:// urls).

Also, one question I have (and don't know the answer to) is whether we should worry at all about other protocols, like ftp:/.
Comment 8 Chris Goldthorpe CLA 2008-05-28 12:38:59 EDT 
I agree with restricting any URL which starts with a protocol, I can't think of a valid reason for using any other protocol in the topic parameter. There probably is some other protocol that could be used maliciously - better to make the restricted mode only allow paths without protocol.
Comment 9 Chris Goldthorpe CLA 2008-05-28 16:54:15 EDT 
Created attachment 102517 [details]
Patch version 2

This patch restricts any value for the topic parameter which has a protocol. The restriction is enforced only in infocenter mode and can be overridden in  preferences.ini.
Comment 10 Chris Goldthorpe CLA 2008-05-28 19:43:04 EDT 
I have released the patch to HEAD. I will set the state to fixed once I've updated the docs.
Comment 11 Chris Goldthorpe CLA 2008-05-30 17:04:19 EDT 
The docs have been updated. Marking as FIXED.
Comment 12 Chris Goldthorpe CLA 2008-06-04 01:17:19 EDT 
Verified in  eclipse-SDK-I20080530-1400-win32 by Yi Yan Zhou.
Comment 13 Denis Roy CLA 2009-12-10 10:09:07 EST 
If this is fixed we can remove the bug from the closed Security group?
Comment 14 Chris Goldthorpe CLA 2009-12-10 13:13:38 EST 
Yes, I agree. Clearing the security flag.