Bugzilla – Full Text Bug Listing
| Summary: | Open redirects on https://accounts.eclipse.org | ||
|---|---|---|---|
| Product: | Community | Reporter: | <"xss' <"xss' <strukt93> |
| Component: | Vulnerability Reports | Assignee: | Security vulnerabilitied reported against Eclipse projects <vulnerability.reports-inbox> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | P3 | CC: | chris.guindon, wayne.beaton |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Windows 7 | ||
| Whiteboard: | |||
|
Description
<"xss' <"xss'
Making this a "Committer-only group for handling security advisories in a closed fashion". (In reply to <"xss' <"xss' from comment #0) > Hello, > > There's an open redirects vulnerability on the mentioned subdomain upon > logging in. This allows attackers to redirect users to malicious places on > the internet on your behalf and perform further attacks against them. > > Visit https://accounts.eclipse.org/user/login/?takemeback=//example.com and > login with your credentials, notice that you have been redirected to > example.com as a PoC. > > Regards, I have a patch submitted for this. I am hoping we can get this fix on production in the next day or so. (In reply to Christopher Guindon from comment #2) > (In reply to <"xss' <"xss' from comment #0) > > Hello, > > > > There's an open redirects vulnerability on the mentioned subdomain upon > > logging in. This allows attackers to redirect users to malicious places on > > the internet on your behalf and perform further attacks against them. > > > > Visit https://accounts.eclipse.org/user/login/?takemeback=//example.com and > > login with your credentials, notice that you have been redirected to > > example.com as a PoC. > > > > Regards, > > I have a patch submitted for this. I am hoping we can get this fix on > production in the next day or so. This is now on production! Thanks for the bug report! |