[HADOOP-11385] Prevent cross site scripting attack on JMXJSONServlet - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.7.0
Component/s: None
Labels:
None

Hadoop Flags:

Incompatible change, Reviewed

Description

JMXJSONServlet allows passing a callback parameter in the JMX response, which is introduced in ~~HADOOP-8922~~:

        // "callback" parameter implies JSONP outpout
        jsonpcb = request.getParameter(CALLBACK_PARAM);
        if (jsonpcb != null) {
          response.setContentType("application/javascript; charset=utf8");
          writer.write(jsonpcb + "(");
        } else {
          response.setContentType("application/json; charset=utf8");
        }

The code writes the callback parameter directly to the output, allowing cross-site scripting attack. This vulnerability allows the attacker easily stealing the credential of the user on the browser.

The original use case can be supported using Cross-origin resource sharing (CORS), which is used by the current NN web UI.

This jira proposes to move JMXJSONServlet to CORS.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-11385.000.patch
17/Dec/14 21:43
8 kB
Haohui Mai

Activity

People

Assignee:: Haohui Mai

Reporter:: Haohui Mai

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 10/Dec/14 05:16

Updated:: 24/Apr/15 22:49

Resolved:: 18/Dec/14 19:39