Bugzilla – Full Text Bug Listing
| Summary: | Source code exposure in EHS3.6_GM_Build | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Eclipse Project] Platform | Reporter: | Soveran <yxzhong> | ||||
| Component: | User Assistance | Assignee: | Platform-UI-Inbox <Platform-UI-Inbox> | ||||
| Status: | RESOLVED DUPLICATE | QA Contact: | |||||
| Severity: | normal | ||||||
| Priority: | P3 | CC: | curtis.windatt.public, daniel_megert, john.arthorne, pwebster, tjwatson | ||||
| Version: | 3.6 | ||||||
| Target Milestone: | --- | ||||||
| Hardware: | PC | ||||||
| OS: | Windows XP | ||||||
| Whiteboard: | |||||||
| Attachments: |
|
||||||
|
Description
Soveran
Any response? this is pretty urgent Moving to User Assistance. The help system runs a local server, but I doubt displaying source is an issue as the entire plug-in is open source. Found another way to exposure the source code, see as below: http://localhost:9999/help/index.jsp* Just add a "*" at the end of the URL. I cannot reproduce in 3.8 or Juno (4.2). http://localhost:57299/help/META-INF/MANIFEST.MF -> HTTP ERROR: 404 Problem accessing /help/META-INF/MANIFEST.MF. Reason: ProxyServlet: /help/META-INF/MANIFEST.MF PW (In reply to comment #4) > I cannot reproduce in 3.8 or Juno (4.2). > > http://localhost:57299/help/META-INF/MANIFEST.MF > > -> > HTTP ERROR: 404 > > Problem accessing /help/META-INF/MANIFEST.MF. Reason: > > ProxyServlet: /help/META-INF/MANIFEST.MF > > > PW Would you use EHS3.6 to test it, that's what I found the issue on I can reproduce it in 3.6, but it has since been fixed in a later release. This component is not being watched any more. PW (In reply to comment #3) > Found another way to exposure the source code, see as below: > http://localhost:9999/help/index.jsp* I can't reproduce this in 3.6.2 PW (In reply to comment #7) > (In reply to comment #3) > > Found another way to exposure the source code, see as below: > > http://localhost:9999/help/index.jsp* > > I can't reproduce this in 3.6.2 > > PW I'm using EHS3.6 ,never heard of there is a 3.6.2? is it another version of EHS? (In reply to comment #6) > I can reproduce it in 3.6, but it has since been fixed in a later release. > > This component is not being watched any more. > > PW Could you fix this issue in EHS3.6? (In reply to comment #9) > (In reply to comment #6) > > I can reproduce it in 3.6, but it has since been fixed in a later release. > > > > This component is not being watched any more. > > > > PW > > Could you fix this issue in EHS3.6? This is bug 328795. This bug plus all the bugs it blocks have been backported to 3.6.2. I'm not really sure what you mean by EHS3.6. But if there is an EHS3.6 then there should be an EHS3.6.2 that includes the fix. *** This bug has been marked as a duplicate of bug 328795 *** (In reply to comment #0) > During our security testing, we found out the source code could be seen or > downloaded easily by below fashion: > 1.http://localhost:9999/help/META-INF/MANIFEST.MF > 2.http://localhost:9999/help/org/eclipse/help/internal/webapp/jsp/basic/ > header_jsp.class > > This would be very risky cause someone evil could analyze the code and > attack the system. Just to be clear, this is open source software and the source code is freely available to anyone. (In reply to comment #11) > (In reply to comment #0) > > During our security testing, we found out the source code could be seen or > > downloaded easily by below fashion: > > 1.http://localhost:9999/help/META-INF/MANIFEST.MF > > 2.http://localhost:9999/help/org/eclipse/help/internal/webapp/jsp/basic/ > > header_jsp.class > > > > This would be very risky cause someone evil could analyze the code and > > attack the system. > > Just to be clear, this is open source software and the source code is freely > available to anyone. There are two issues discussed in this bug. Access to the org.eclipse.help.webapp bundle source is covered by the fix in bug 304119. The other more serious security issue is covered by the fix in bug 328795. That bug allowed access to jsp source of any 3rd party bundle which is considered a security exposure to the 3rd party bundle. We also found this issue in EHS34, is there any fixes for this version of EHS? if no, can you guys provide related fix for it? (In reply to comment #13) > We also found this issue in EHS34, is there any fixes for this version of > EHS? if no, can you guys provide related fix for it? There's probably a 3.4.x which has the fix. Please report the bug inside IBM. Eclipse is not doing builds/fixes for 3.4 anymore. (In reply to comment #14) > (In reply to comment #13) > > We also found this issue in EHS34, is there any fixes for this version of > > EHS? if no, can you guys provide related fix for it? > > There's probably a 3.4.x which has the fix. Please report the bug inside > IBM. Eclipse is not doing builds/fixes for 3.4 anymore. Do you mean the ottawa bugzilla? https://bugs.ottawa.ibm.com/? (In reply to comment #15) > (In reply to comment #14) > > (In reply to comment #13) > > > We also found this issue in EHS34, is there any fixes for this version of > > > EHS? if no, can you guys provide related fix for it? > > > > There's probably a 3.4.x which has the fix. Please report the bug inside > > IBM. Eclipse is not doing builds/fixes for 3.4 anymore. > > Do you mean the ottawa bugzilla? > https://bugs.ottawa.ibm.com/? yes |