hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haibo Chen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12964) Http server vulnerable to clickjacking
Date Fri, 25 Mar 2016 19:07:25 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12964?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Haibo Chen updated HADOOP-12964:
--------------------------------
    Description: 
Nessus report shows a medium level issue that "Web Application Potentially Vulnerable to Clickjacking"
with the description as follows:

"The remote web server does not set an X-Frame-Options response header in all content responses.
This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker
can trick a user into clicking an area of the vulnerable page that is different than what
the user perceives the page to be. This can result in a user performing fraudulent or malicious
transactions"

We could add X-Frame-Options, supported in all major browsers, in the Http response header
to mitigate the issue.

  was:
Nessus report shows a medium level issue that "Web Application Potentially Vulnerable to Clickjacking"
with the description "The remote web server does not set an X-Frame-Options response header
in all content responses. This could potentially expose the site to a clickjacking or UI Redress
attack wherein an attacker can trick a user into clicking an area of the vulnerable page that
is different than what the user perceives the page to be. This can result in a user performing
fraudulent or malicious transactions"

We could add X-Frame-Options, supported in all major browsers, in the Http response header
to mitigate the issue.


> Http server vulnerable to clickjacking 
> ---------------------------------------
>
>                 Key: HADOOP-12964
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12964
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Haibo Chen
>            Assignee: Haibo Chen
>
> Nessus report shows a medium level issue that "Web Application Potentially Vulnerable
to Clickjacking" with the description as follows:
> "The remote web server does not set an X-Frame-Options response header in all content
responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein
an attacker can trick a user into clicking an area of the vulnerable page that is different
than what the user perceives the page to be. This can result in a user performing fraudulent
or malicious transactions"
> We could add X-Frame-Options, supported in all major browsers, in the Http response header
to mitigate the issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message