drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Barclay (Drill) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DRILL-3768) HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
Date Fri, 11 Sep 2015 21:39:45 GMT

     [ https://issues.apache.org/jira/browse/DRILL-3768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Daniel Barclay (Drill) updated DRILL-3768:
------------------------------------------
    Description: 
The Web UI does not properly encode query text or error message text into HTML.  This makes
the Web UI vulnerable to JavaScript-injection attacks.

&nbsp;
Most importantly, the Web UI doesn't encode characters that are special in HTML, e.g., encoding
"<" in that plain text to "&amp;lt;" in the HTML text.

This means that some queries containing a less-than character ("<") are displayed wrong.
 For example, submit this query and then look at its profile via the Web UI:

{noformat}
SELECT 1<B FROM (VALUES 2) AS T(B)
{noformat}

(The query currently show up as "{{SELECT 1}}".)

What's worse is that someone submitting a query can inject HTML, _including JavaScript code_,
into the Web UI's pages.  Look at this query's profile in the Web UI:

{noformat}
VALUES `<script> alert("Gotcha!") </script>`
{noformat}


&nbsp;
Another, though less serious, problem is that line breaks in plain text are not encoded into
HTML (e.g., as "<br />").

That means that separate lines of error messages are run together, making them harder or impossible
to parse correctly when see in the Web UI.




  was:
The Web UI does not properly encode query text or error message text into HTML.  This makes
the Web UI vulnerable to JavaScript-injection attacks.

&nbsp;
Most importantly, the Web UI doesn't encode characters that are special in HTML, e.g., encoding
"<" in that plain text to "&amp;lt;" in the HTML text.

This means that some queries containing a less-than character ("<") are displayed wrong.
 For example, submit this query and then look at its profile via the Web UI:

{noformat}
SELECT 1<B FROM (VALUES 2) AS T(B)
{noformat}

(The query currently show up as "{{SELECT 1}}".)

What's worse is that someone submitting a query can inject HTML, _including JavaScript code_,
into the Web UI's pages.  Look at this query's profile in the Web UI:

{noformat}
VALUES `<script> alert("Gotcha!") </script>
{noformat}


&nbsp;
Another, though less serious, problem is that line breaks in plain text are not encoded into
HTML (e.g., as "<br />").

That means that separate lines of error messages are run together, making them harder or impossible
to parse correctly when see in the Web UI.





> HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
> --------------------------------------------------------------------
>
>                 Key: DRILL-3768
>                 URL: https://issues.apache.org/jira/browse/DRILL-3768
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Client - HTTP
>            Reporter: Daniel Barclay (Drill)
>            Assignee: Jason Altekruse
>            Priority: Critical
>
> The Web UI does not properly encode query text or error message text into HTML.  This
makes the Web UI vulnerable to JavaScript-injection attacks.
> &nbsp;
> Most importantly, the Web UI doesn't encode characters that are special in HTML, e.g.,
encoding "<" in that plain text to "&amp;lt;" in the HTML text.
> This means that some queries containing a less-than character ("<") are displayed
wrong.  For example, submit this query and then look at its profile via the Web UI:
> {noformat}
> SELECT 1<B FROM (VALUES 2) AS T(B)
> {noformat}
> (The query currently show up as "{{SELECT 1}}".)
> What's worse is that someone submitting a query can inject HTML, _including JavaScript
code_, into the Web UI's pages.  Look at this query's profile in the Web UI:
> {noformat}
> VALUES `<script> alert("Gotcha!") </script>`
> {noformat}
> &nbsp;
> Another, though less serious, problem is that line breaks in plain text are not encoded
into HTML (e.g., as "<br />").
> That means that separate lines of error messages are run together, making them harder
or impossible to parse correctly when see in the Web UI.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message