hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haibo Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12964) Http server vulnerable to clickjacking
Date Mon, 28 Mar 2016 19:52:25 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15214768#comment-15214768
] 

Haibo Chen commented on HADOOP-12964:
-------------------------------------

The unit test failures and license warning are unrelated. Will update to correct the check
style issues.

> Http server vulnerable to clickjacking 
> ---------------------------------------
>
>                 Key: HADOOP-12964
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12964
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Haibo Chen
>            Assignee: Haibo Chen
>         Attachments: hadoop-12964.001.patch
>
>
> Nessus report shows a medium level issue that "Web Application Potentially Vulnerable
to Clickjacking" with the description as follows:
> "The remote web server does not set an X-Frame-Options response header in all content
responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein
an attacker can trick a user into clicking an area of the vulnerable page that is different
than what the user perceives the page to be. This can result in a user performing fraudulent
or malicious transactions"
> We could add X-Frame-Options, supported in all major browsers, in the Http response header
to mitigate the issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message