Community
Participate
Working Groups
I20100429-1549 A phishing vulnerability was fixed in the Eclipse Infocenter by adding the function isValidTopicUrl() to UrlUtil. A scan with an automated tool revealed that the vulnerability still exists in the war file version of the help system.
Created attachment 167410 [details] Possible fix I have been unable to reproduce this problem in a running war but the tool hit on an area which has been a problem in the past. Possible theories are a) The preferences are not getting initialized correctly b) org.eclipse.help.internal.webapp.data.UrlUtil.isValidTopicURL(String) is getting called before BaseHelpSystem.checkMode() is called. c) The help system is bypassing the check by being launched in basic mode. I tried testing in basic mode and did not see the problem. This patch fixes a) and b). Chris A can you apply this patch and retest? I don't know if this represents a bug that a user could ever exploit but it would be nice to get a clean report from AppScan. If this fixes the problem we should remove the preference that suppresses the anti phishing check.
Unfortunately I still see the phishing alert in the AppScan results: ------------------------- Possible Causes The web application performs a redirection to an external site Technical Description Phishing is a general term for attempts to scam users into surrendering private information that will be used for identity theft. An http parameter was found to hold a URL value and cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. The fact that the server name in the modified link is identical to the original site helps the attacker by giving his phishing attempts a more reliable appearance. Sample Exploit: When a parameter with a URL-like value is found, it is modified to point to another site. For example, the following request: http://www.site.com/redirect.aspx?target=http://www.anotherSite.com will be modified to: http://www.site.com/redirect.aspx?target=http://www.watchfire.com Fix Recommendation Avoid redirecting to outer sites based on parameter values. If it is necessary to do so, be sure to validate the URL to which the application is redirected to, and avoid redirections to unknown sites. ------------------------- If we are validating the URL's properly, we will never encounter this problem. But I don't know that AppScan tests to see if we are validating, per the 'Fix Recommendation', so this may always fail...
After investigating this carefully I do not see a phishing problem, I used the URL which came from the Appscan tool and opened it but did not see any redirection to a spoofed site, visible in the browser. I used Firebug to look at the requests but again no request was sent to an external site. I will leave this open as we continue to investigate but have removed the target milestone.
Further analysis has shown that this is not a real phishing vulnerability.
