hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haibo Chen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-12964) Http server vulnerable to clickjacking
Date Fri, 25 Mar 2016 19:05:25 GMT
Haibo Chen created HADOOP-12964:
-----------------------------------

             Summary: Http server vulnerable to clickjacking 
                 Key: HADOOP-12964
                 URL: https://issues.apache.org/jira/browse/HADOOP-12964
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Haibo Chen
            Assignee: Haibo Chen


Nessus report shows a medium level issue that "Web Application Potentially Vulnerable to Clickjacking"
with the description "The remote web server does not set an X-Frame-Options response header
in all content responses. This could potentially expose the site to a clickjacking or UI Redress
attack wherein an attacker can trick a user into clicking an area of the vulnerable page that
is different than what the user perceives the page to be. This can result in a user performing
fraudulent or malicious transactions"

We could add X-Frame-Options, supported in all major browsers, in the Http response header
to mitigate the issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message