[AMBARI-25384] Ambari Files View is Vulnerable to XSS attack - ASF JIRA

Attach files

Attach Screenshot

Voters

Stop watching

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: trunk, 2.6.2, 2.7.4
Fix Version/s: 2.8.0, 2.7.5
Component/s: ambari-views
Labels:
- pull-request-available

Description

Problem Statement : Ambari Files view is vulnerable to XSS attack, if the Filename of the file uploaded in HDFS contains XSS scripts.

Reproduction :

1) login to files view

2) create a file called in your local system and upload it to files view: <svg onload= alert(document.domain)>

3) try to delete the file or edit permission of the file. the malciious XSS script will be executed in the Browser. this is a security Issue.

Please see attached screenshot

Attachments

Screen Shot 2019-09-24 at 6.05.19 PM.png
24/Sep/19 12:38
233 kB
Akhil Naik

Issue Links

Add Link

links to

GitHub PR#3490

Delete this link

GitHub Pull Request #3088

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Akhil Naik

Reporter:: Akhil Naik

Votes:: 0 Vote for this issue

Watchers:: 3 Stop watching this issue

Dates

Created:: 24/Sep/19 12:38

Updated:: 14/Nov/22 16:37

Resolved:: 03/Oct/19 07:22

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Agile

View on Board

Ambari Files View is Vulnerable to XSS attack

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Time Tracking

Agile

Slack

Issue deployment