Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 311797

Summary: [Webapp][Security] Phishing vulnerability in webapp war file
Product: [Eclipse Project] Platform Reporter: Chris Goldthorpe <cgold>
Component: User AssistanceAssignee: platform-ua-inbox <platform-ua-inbox>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: P3 CC: ChrisAustin, kleind, zhhaohh
Version: 3.6   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   
Whiteboard:
Attachments:
Description Flags
Possible fix none

Description Chris Goldthorpe CLA 2010-05-05 16:56:35 EDT 
I20100429-1549

A phishing vulnerability was fixed in the Eclipse Infocenter by adding the function isValidTopicUrl() to UrlUtil.  A scan with an automated tool revealed that the vulnerability still exists in the war file version of the help system.
Comment 1 Chris Goldthorpe CLA 2010-05-06 18:05:43 EDT 
Created attachment 167410 [details]
Possible fix

I have been unable to reproduce this problem in a running war but the tool hit on an area which has been a problem in the past. Possible theories are

a) The preferences are not getting initialized correctly
b) org.eclipse.help.internal.webapp.data.UrlUtil.isValidTopicURL(String) is getting called before BaseHelpSystem.checkMode() is called.
c) The help system is bypassing the check by being launched in basic mode.

I tried testing in basic mode and did not see the problem. This patch fixes a) and b). Chris A can you apply this patch and retest? I don't know if this represents a bug that a user could ever exploit but it would be nice to get a clean report from AppScan. If this fixes the problem we should remove the preference that suppresses the anti phishing check.
Comment 2 Chris Austin CLA 2010-05-07 10:18:26 EDT 
Unfortunately I still see the phishing alert in the AppScan results:
-------------------------
Possible Causes
The web application performs a redirection to an external site

Technical Description
Phishing is a general term for attempts to scam users into surrendering private information that will be used for identity theft. 
An http parameter was found to hold a URL value and cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. The fact that the server name in the modified link is identical to the original site helps the attacker by giving his phishing attempts a more reliable appearance. 
Sample Exploit: When a parameter with a URL-like value is found, it is modified to point to another site. 
For example, the following request: http://www.site.com/redirect.aspx?target=http://www.anotherSite.com 
will be modified to: http://www.site.com/redirect.aspx?target=http://www.watchfire.com 

Fix Recommendation
Avoid redirecting to outer sites based on parameter values. If it is necessary to do so, be sure to validate the URL to which the application is redirected to, and avoid redirections to unknown sites. 
-------------------------

If we are validating the URL's properly, we will never encounter this problem.  But I don't know that AppScan tests to see if we are validating, per the 'Fix Recommendation', so this may always fail...
Comment 3 Chris Goldthorpe CLA 2010-05-13 16:48:44 EDT 
After investigating this carefully I do not see a phishing problem, I used the URL which came from the Appscan tool and opened it but did not see any redirection to a spoofed site, visible in the browser. I used Firebug to look at the requests but again no request was sent to an external site. I will leave this open as we continue to investigate but have removed the target milestone.
Comment 4 Chris Goldthorpe CLA 2010-05-20 17:12:04 EDT 
Further analysis has shown that this is not a real phishing vulnerability.