Skip to content

[eclipse.org]Potential code injection in download.php

Reported on the security ML:

we noticed that invalid paths are still recorded in the download stats, for example:

https://www.eclipse.org/downloads/download.php?file=/theia/ide/latest/test.exe

shows up in:

https://dev.eclipse.org/committers/committertools/stats.php

If you look for the query path:

theia/ide/latest/

you will find entries including:

BlackHatCracker PRO hacked by hacklaplanete

I am not sure whether this could lead to code injection or if it would be possible to manipulate download stats/drop tables, but it probably should not be possible to write download stats for non-existent files.

This is all I have, I just wanted to report it.
Now that I think about it, it also seems problematic that the stats.php page renders this input as HTML.
That could potentially be used to attack users who open the stats.php page.
Yes, this seems bad.

Using the following download link:
https://www.eclipse.org/downloads/download.php?file=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

and then searching for alert on the stats site immediately executes the script.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent