hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12964) Http server vulnerable to clickjacking
Date Tue, 12 Apr 2016 21:43:25 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12964?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Robert Kanter updated HADOOP-12964:
      Resolution: Fixed
    Hadoop Flags: Reviewed
          Status: Resolved  (was: Patch Available)

Thanks Haibo.  Committed to trunk and branch-2!

> Http server vulnerable to clickjacking 
> ---------------------------------------
>                 Key: HADOOP-12964
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12964
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Haibo Chen
>            Assignee: Haibo Chen
>         Attachments: hadoop-12964.001.patch, hadoop-12964.002.patch, hadoop-12964.003.patch
> Nessus report shows a medium level issue that "Web Application Potentially Vulnerable
to Clickjacking" with the description as follows:
> "The remote web server does not set an X-Frame-Options response header in all content
responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein
an attacker can trick a user into clicking an area of the vulnerable page that is different
than what the user perceives the page to be. This can result in a user performing fraudulent
or malicious transactions"
> We could add X-Frame-Options, supported in all major browsers, in the Http response header
to mitigate the issue.

This message was sent by Atlassian JIRA

View raw message