Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 411248

Summary: [Eclipse.org] Multiple XSS Vulnerabilities
Product: Community Reporter: 'svg onloadalert0 'svg onloadalert1 <wcypierre>
Component: Project Management & PortalAssignee: Portal Bugzilla Dummy Inbox <portal-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: wayne.beaton
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description 'svg onloadalert0 'svg onloadalert1 CLA 2013-06-20 09:11:34 EDT 
Hi,

I have found a Self XSS Vulnerability at your site. You can address me with the name "wcypierre" in your replies.

Proof of Concept #1:
Vulnerability Type: Reflective XSS
----------------------------------
https://dev.eclipse.org/portal/myfoundation/tests/swim.php?file=committer_election%2Fcommitter_election.txt%27%3E%22%3E%3Csvg%20onload=alert%28/wcypierre/%29%3E

Proof of Concept #2:
Vulnerability Type: Reflective XSS
----------------------------------
https://dev.eclipse.org/portal/myfoundation/tests/run.php?file=committer_election%2Fcommitter_election.txtt%27%3E%22%3E%3Csvg%20onload=alert%28/wcypierre/%29%3E

Proof of Concept #1:
Vulnerability Type: Reflective XSS
----------------------------------
https://dev.eclipse.org/portal/myfoundation/tests/see.php?file=committer_election%2Fcommittt%27%3E%22%3E%3Csvg%20onload=alert%28/wcypierre/%29%3E

Please patch it as soon as possible.

Regards,
wcypierre

Personal Internal Reference
ID: #7
Comment 1 Denis Roy CLA 2013-06-20 09:13:32 EDT 
Thanks for reporting this.  We will examine this right without delay.
Comment 2 'svg onloadalert0 'svg onloadalert1 CLA 2013-06-20 09:16:45 EDT 
Hi,

Sure. By the way, omit the 2nd line of my report, it is a Reflective XSS vulnerability report and not self XSS vulnerability report, I've copied the wrong template.

Regards,
wcypierre
Comment 3 'svg onloadalert0 'svg onloadalert1 CLA 2013-06-20 09:29:47 EDT 
Hi,

By the way, I've found another XSS Vulnerability.

Proof of Concept #4:
Vulnerability Type: Flash XSS
https://projects.eclipse.org/sites/all/modules/pmi/clipboard/zeroclipboard/ZeroClipboard.swf?id=\%22%29%29}catch%28e%29{}if%28!self.a%29self.a=!alert%28document.cookie%29//&width&height

Regards,
wcypierre
Comment 4 Denis Roy CLA 2013-06-20 09:34:14 EDT 
> Vulnerability Type: Flash XSS
> https://projects.eclipse.org/sites/all/modules/pmi/clipboard/zeroclipboard/
> ZeroClipboard.swf?id=\%22%29%29}catch%28e%29{}if%28!self.a%29self.a=!
> alert%28document.cookie%29//&width&height


Wow.  That was disclosed againsr zeroclipboard back in February:
http://seclists.org/fulldisclosure/2013/Feb/103

Thanks.
Comment 5 'svg onloadalert0 'svg onloadalert1 CLA 2013-06-20 09:36:43 EDT 
(In reply to comment #4)
> > Vulnerability Type: Flash XSS
> > https://projects.eclipse.org/sites/all/modules/pmi/clipboard/zeroclipboard/
> > ZeroClipboard.swf?id=\%22%29%29}catch%28e%29{}if%28!self.a%29self.a=!
> > alert%28document.cookie%29//&width&height
> 
> 
> Wow.  That was disclosed againsr zeroclipboard back in February:
> http://seclists.org/fulldisclosure/2013/Feb/103
> 
> Thanks.

Hi,

Yeah. This vulnerability has been for quite a while but yet there's still a lot of vendors that are vulnerable to this vulnerability.

Regards,
wcypierre
Comment 6 Wayne Beaton CLA 2013-06-20 14:07:14 EDT 
(In reply to comment #0)
> Proof of Concept #1:
> Vulnerability Type: Reflective XSS
> ----------------------------------
> https://dev.eclipse.org/portal/myfoundation/tests/swim.
> php?file=committer_election%2Fcommitter_election.
> txt%27%3E%22%3E%3Csvg%20onload=alert%28/wcypierre/%29%3E
> 
> Proof of Concept #2:
> Vulnerability Type: Reflective XSS
> ----------------------------------
> https://dev.eclipse.org/portal/myfoundation/tests/run.
> php?file=committer_election%2Fcommitter_election.
> txtt%27%3E%22%3E%3Csvg%20onload=alert%28/wcypierre/%29%3E
> 
> Proof of Concept #1:
> Vulnerability Type: Reflective XSS
> ----------------------------------
> https://dev.eclipse.org/portal/myfoundation/tests/see.
> php?file=committer_election%2Fcommittt%27%3E%22%3E%3Csvg%20onload=alert%28/
> wcypierre/%29%3E
> 

These are patched.
Comment 7 Wayne Beaton CLA 2013-06-20 16:03:54 EDT 
(In reply to comment #3)
> Proof of Concept #4:
> Vulnerability Type: Flash XSS
> https://projects.eclipse.org/sites/all/modules/pmi/clipboard/zeroclipboard/
> ZeroClipboard.swf?id=\%22%29%29}catch%28e%29{}if%28!self.a%29self.a=!
> alert%28document.cookie%29//&width&height

I've upgraded to ZeroClipboard 1.2.0-beta.1
Comment 8 'svg onloadalert0 'svg onloadalert1 CLA 2013-06-20 17:53:08 EDT 
(In reply to comment #6)
> (In reply to comment #0)
> > Proof of Concept #1:
> > Vulnerability Type: Reflective XSS
> > ----------------------------------
> > https://dev.eclipse.org/portal/myfoundation/tests/swim.
> > php?file=committer_election%2Fcommitter_election.
> > txt%27%3E%22%3E%3Csvg%20onload=alert%28/wcypierre/%29%3E
> > 
> > Proof of Concept #2:
> > Vulnerability Type: Reflective XSS
> > ----------------------------------
> > https://dev.eclipse.org/portal/myfoundation/tests/run.
> > php?file=committer_election%2Fcommitter_election.
> > txtt%27%3E%22%3E%3Csvg%20onload=alert%28/wcypierre/%29%3E
> > 
> > Proof of Concept #1:
> > Vulnerability Type: Reflective XSS
> > ----------------------------------
> > https://dev.eclipse.org/portal/myfoundation/tests/see.
> > php?file=committer_election%2Fcommittt%27%3E%22%3E%3Csvg%20onload=alert%28/
> > wcypierre/%29%3E
> > 
> 
> These are patched.

Hi,

It has been patched, but it seems to have broken the functionality of the file as I can't read and run the contents of the file anymore.

Regards,
wcypierre
Comment 9 'svg onloadalert0 'svg onloadalert1 CLA 2013-06-20 17:55:30 EDT 
(In reply to comment #7)
> (In reply to comment #3)
> > Proof of Concept #4:
> > Vulnerability Type: Flash XSS
> > https://projects.eclipse.org/sites/all/modules/pmi/clipboard/zeroclipboard/
> > ZeroClipboard.swf?id=\%22%29%29}catch%28e%29{}if%28!self.a%29self.a=!
> > alert%28document.cookie%29//&width&height
> 
> I've upgraded to ZeroClipboard 1.2.0-beta.1

Verified on my side.
Comment 10 'svg onloadalert0 'svg onloadalert1 CLA 2013-06-20 18:12:20 EDT 
Hi,

I have found another XSS at your site.

http://eclipse.org/projects/searchpage.php?q=csharp%22%20autofocus%20onfocus=alert%28/wcypierre/%29%20var%20a=%22

Regards,
wcypierre
Comment 11 Wayne Beaton CLA 2013-06-20 22:36:40 EDT 
(In reply to comment #8)
> It has been patched, but it seems to have broken the functionality of the
> file as I can't read and run the contents of the file anymore.

Well that's embarrassing. I was so concerned with testing that the parameter was legal, that I never thought to test for a valid value.

Truth be told, however, my first inclination was to delete the pages. We'll be doing that before too long anyway.

It should work now.
Comment 12 Wayne Beaton CLA 2013-06-20 22:45:53 EDT 
(In reply to comment #10)
> Hi,
> 
> I have found another XSS at your site.
> 
> http://eclipse.org/projects/searchpage.
> php?q=csharp%22%20autofocus%20onfocus=alert%28/wcypierre/%29%20var%20a=%22
> 
> Regards,
> wcypierre

I haven't seen or thought of that page in a very long time. It may, I think, be time to deprecate/remove it. 

Fixed.
Comment 13 'svg onloadalert0 'svg onloadalert1 CLA 2013-06-20 23:29:09 EDT 
(In reply to comment #11)
> (In reply to comment #8)
> > It has been patched, but it seems to have broken the functionality of the
> > file as I can't read and run the contents of the file anymore.
> 
> Well that's embarrassing. I was so concerned with testing that the parameter
> was legal, that I never thought to test for a valid value.
> 
> Truth be told, however, my first inclination was to delete the pages. We'll
> be doing that before too long anyway.
> 
> It should work now.

Verified the patch on my side for both this one and the other one on the search bar as well.
Comment 14 Wayne Beaton CLA 2017-03-27 20:28:19 EDT 
I think that we're done here, so I'm marking this bug as fixed and am removing the committers-only flag.