Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
2.7.3
Description
The application does not handle the error properly and reveals internal class names in the error
message as shown in the below HTTP Request and Response. This happens when an admin user
tries to add an LDAP user that doesn't exist to a group.
HTTP Request:
PUT /api/v1/groups/csrf%20test/members HTTP/1.1 Host: xyz601:8080 Content-Length: 69 Accept: application/json, text/plain, */* Origin: http://xyz601:8080 X-Requested-By: ambari User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Content-Type: plain/text Referer: http://xyz601:8080/views/ADMIN_VIEW/2.6.2.2/INSTANCE/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: AMBARISESSIONID=nd54akraeumr1cmnz0gazantv Connection: close [{"MemberInfo/user_name":"test","MemberInfo/group_name":"csrf test"}]
HTTP Response:
HTTP/1.1 500 Internal Server Error
X-Frame-Options: DENY
Severity: Low
Status: New
Ease of Exploit: Easy
Classification: Improper Output Handling
Hadoop refresh (Break Glass) - UMF Visa Restricted 32
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-store
Pragma: no-cache
User: hitepate
Content-Type: text/plain
Connection: close
{
"status" : 500,
"message" : "org.apache.ambari.server.controller.spi.SystemException: An internal
system exception occurred: User test doesn't exist"
}
Remediation Recommendations
When errors occur, the site should respond with a specifically designed result that is helpful to the
user without revealing unnecessary internal details.
