hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jinghui Wang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-6684) HDFS NN and DN JSP pages do not check for script injection.
Date Tue, 15 Jul 2014 17:55:06 GMT
Jinghui Wang created HDFS-6684:
----------------------------------

             Summary: HDFS NN and DN JSP pages do not check for script injection.
                 Key: HDFS-6684
                 URL: https://issues.apache.org/jira/browse/HDFS-6684
             Project: Hadoop HDFS
          Issue Type: Bug
    Affects Versions: 2.4.1, 2.3.0, 2.2.0, 2.1.0-beta
            Reporter: Jinghui Wang
            Assignee: Jinghui Wang


Datanode's browseDirectory.jsp is not filtering script injection, able to inject a script
with dir parameter using dir=/hadoop'\"/><script>alert(759)</script>.

NameNode's dfsnodelist.sjp is not filtering script injection either. Able to set the sorter/order
parameter to "DSC%20onMouseOver=alert(959)//".



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message