Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-6684

HDFS NN and DN JSP pages do not check for script injection.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 2.1.0-beta, 2.2.0, 2.3.0, 2.4.1
    • None
    • None
    • None

    Description

      Datanode's browseDirectory.jsp is not filtering script injection, able to inject a script with dir parameter using dir=/hadoop'\"/><script>alert(759)</script>.

      NameNode's dfsnodelist.sjp is not filtering script injection either. Able to set the sorter/order parameter to "DSC%20onMouseOver=alert(959)//".

      Attachments

        1. HDFS-6684.patch
          9 kB
          Jinghui Wang

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. HDFS-6252 Phase out the old web UI in HDFS

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              jwang302 Jinghui Wang
              jwang302 Jinghui Wang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: