Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-25280

Improper error handling when managing Ambari users

    XMLWordPrintableJSON

Details

    Description

      The application does not handle the error properly and reveals internal class names in the error
      message as shown in the below HTTP Request and Response. This happens when an admin user
      tries to add an LDAP user that doesn't exist to a group.

      HTTP Request:

      PUT /api/v1/groups/csrf%20test/members HTTP/1.1
      Host: xyz601:8080
      Content-Length: 69
      Accept: application/json, text/plain, */*
      Origin: http://xyz601:8080
      X-Requested-By: ambari
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
      like Gecko) Chrome/70.0.3538.102 Safari/537.36
      Content-Type: plain/text
      Referer: http://xyz601:8080/views/ADMIN_VIEW/2.6.2.2/INSTANCE/
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Cookie: AMBARISESSIONID=nd54akraeumr1cmnz0gazantv
      Connection: close
      [{"MemberInfo/user_name":"test","MemberInfo/group_name":"csrf test"}]
      

      HTTP Response:

      HTTP/1.1 500 Internal Server Error
      X-Frame-Options: DENY
      Severity: Low
      Status: New
      Ease of Exploit: Easy
      Classification: Improper Output Handling
      Hadoop refresh (Break Glass) - UMF Visa Restricted 32
      X-XSS-Protection: 1; mode=block
      X-Content-Type-Options: nosniff
      Cache-Control: no-store
      Pragma: no-cache
      User: hitepate
      Content-Type: text/plain
      Connection: close
      {
      "status" : 500,
      "message" : "org.apache.ambari.server.controller.spi.SystemException: An internal
      system exception occurred: User test doesn't exist"
      }
      

      Remediation Recommendations
      When errors occur, the site should respond with a specifically designed result that is helpful to the
      user without revealing unnecessary internal details.

      Attachments

        Activity

          People

            kkasa Krisztian Kasa
            kkasa Krisztian Kasa
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1.5h
                1.5h