drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-5766) Stored XSS in APACHE DRILL
Date Fri, 22 Sep 2017 19:13:00 GMT

    [ https://issues.apache.org/jira/browse/DRILL-5766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176955#comment-16176955
] 

ASF GitHub Bot commented on DRILL-5766:
---------------------------------------

Github user arina-ielchiieva commented on a diff in the pull request:

    https://github.com/apache/drill/pull/935#discussion_r140574454
  
    --- Diff: exec/java-exec/src/main/resources/rest/profile/profile.ftl ---
    @@ -162,8 +226,7 @@
           </div>
           <div id="fragment-overview" class="panel-collapse collapse">
             <div class="panel-body">
    -          <svg id="fragment-overview-canvas" class="center-block"></svg>
    --- End diff --
    
    Talked to Kunal, it turned out that we need this canvas to display graphic for fragments
execution time, so I guess we need to return it back.


> Stored XSS in APACHE DRILL
> --------------------------
>
>                 Key: DRILL-5766
>                 URL: https://issues.apache.org/jira/browse/DRILL-5766
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Functions - Drill
>    Affects Versions: 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0
>         Environment: Apache drill installed in debian system
>            Reporter: Sanjog Panda
>            Assignee: Arina Ielchiieva
>            Priority: Critical
>              Labels: cross-site-scripting, ready-to-commit, security, security-issue,
xss
>             Fix For: 1.12.0
>
>         Attachments: XSS - Sink.png, XSS - Source.png
>
>
> Hello Apache security team,
> I have been testing an application which internally uses the Apache drill software v
1.6 as of now.
> I found XSS on profile page (sink) where in the user's malicious input comes from the
Query page (source) where you run a query. 
> Affected URL : https://localhost:8047/profiles 
> Once the user give the below payload and load the profile page, it gets triggered and
is stored.
> I have attached the screenshot of payload <script>alert(document.cookie)</script>.
> *[screenshot link]
> *
> https://drive.google.com/file/d/0B8giJ3591fvUbm5JZWtjUTg3WmEwYmJQeWd6dURuV0gzOVd3/view?usp=sharing
> https://drive.google.com/file/d/0B8giJ3591fvUV2lJRzZWOWRGNzN5S0JzdVlXSG1iNnVwRlAw/view?usp=sharing




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message