[HADOOP-12964] Http server vulnerable to clickjacking - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.8.0, 3.0.0-alpha1
Component/s: None
Labels:
None

Hadoop Flags:

Reviewed

Description

Nessus report shows a medium level issue that "Web Application Potentially Vulnerable to Clickjacking" with the description as follows:

"The remote web server does not set an X-Frame-Options response header in all content responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions"

We could add X-Frame-Options, supported in all major browsers, in the Http response header to mitigate the issue.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

hadoop-12964.001.patch
25/Mar/16 20:19
3 kB
Haibo Chen
hadoop-12964.002.patch
28/Mar/16 20:42
4 kB
Haibo Chen
hadoop-12964.003.patch
28/Mar/16 22:28
4 kB
Haibo Chen

Issue Links

is related to

YARN-10833 RM logs endpoint vulnerable to clickjacking

Resolved

relates to

HDFS-10579 HDFS web interfaces lack configs for X-FRAME-OPTIONS protection

Resolved

Activity

People

Assignee:: Haibo Chen

Reporter:: Haibo Chen

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 25/Mar/16 19:04

Updated:: 25/Jun/21 18:40

Resolved:: 12/Apr/16 21:42