hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-11385) Cross site scripting attack on JMXJSONServlet
Date Wed, 10 Dec 2014 05:17:12 GMT
Haohui Mai created HADOOP-11385:

             Summary: Cross site scripting attack on JMXJSONServlet
                 Key: HADOOP-11385
                 URL: https://issues.apache.org/jira/browse/HADOOP-11385
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Haohui Mai
            Assignee: Haohui Mai
            Priority: Critical

JMXJSONServlet allows passing a callback parameter in the JMX response, which is introduced
in HADOOP-8922:

        // "callback" parameter implies JSONP outpout
        jsonpcb = request.getParameter(CALLBACK_PARAM);
        if (jsonpcb != null) {
          response.setContentType("application/javascript; charset=utf8");
          writer.write(jsonpcb + "(");
        } else {
          response.setContentType("application/json; charset=utf8");

The code writes the callback parameter directly to the output, allowing cross-site scripting
attack. This vulnerability allows the attacker easily stealing the credential of the user
on the browser.

The original use case can be supported using Cross-origin resource sharing (CORS), which is
used by the current NN web UI.

This jira proposes to move JMXJSONServlet to CORS.

This message was sent by Atlassian JIRA

View raw message