Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11385

Prevent cross site scripting attack on JMXJSONServlet

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.7.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Incompatible change, Reviewed

      Description

      JMXJSONServlet allows passing a callback parameter in the JMX response, which is introduced in HADOOP-8922:

              // "callback" parameter implies JSONP outpout
              jsonpcb = request.getParameter(CALLBACK_PARAM);
              if (jsonpcb != null) {
                response.setContentType("application/javascript; charset=utf8");
                writer.write(jsonpcb + "(");
              } else {
                response.setContentType("application/json; charset=utf8");
              }
      

      The code writes the callback parameter directly to the output, allowing cross-site scripting attack. This vulnerability allows the attacker easily stealing the credential of the user on the browser.

      The original use case can be supported using Cross-origin resource sharing (CORS), which is used by the current NN web UI.

      This jira proposes to move JMXJSONServlet to CORS.

        Attachments

        1. HADOOP-11385.000.patch
          8 kB
          Haohui Mai

          Activity

            People

            • Assignee:
              wheat9 Haohui Mai
              Reporter:
              wheat9 Haohui Mai
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: