hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-11385) Cross site scripting attack on JMXJSONServlet
Date Wed, 10 Dec 2014 05:17:12 GMT
Haohui Mai created HADOOP-11385:
-----------------------------------

             Summary: Cross site scripting attack on JMXJSONServlet
                 Key: HADOOP-11385
                 URL: https://issues.apache.org/jira/browse/HADOOP-11385
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Haohui Mai
            Assignee: Haohui Mai
            Priority: Critical


JMXJSONServlet allows passing a callback parameter in the JMX response, which is introduced
in HADOOP-8922:

{code}
        // "callback" parameter implies JSONP outpout
        jsonpcb = request.getParameter(CALLBACK_PARAM);
        if (jsonpcb != null) {
          response.setContentType("application/javascript; charset=utf8");
          writer.write(jsonpcb + "(");
        } else {
          response.setContentType("application/json; charset=utf8");
        }
{code}

The code writes the callback parameter directly to the output, allowing cross-site scripting
attack. This vulnerability allows the attacker easily stealing the credential of the user
on the browser.

The original use case can be supported using Cross-origin resource sharing (CORS), which is
used by the current NN web UI.

This jira proposes to move JMXJSONServlet to CORS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message