hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Junping Du (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4901) Site Scripting and Phishing Through Frames in browseDirectory.jsp
Date Tue, 05 Nov 2013 07:11:17 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13813708#comment-13813708
] 

Junping Du commented on HDFS-4901:
----------------------------------

I think the answer is probably no. Basically, you should switch branch from trunk to branch-1
and setup build env by following: http://wiki.apache.org/hadoop/BuildingHadoopFromSVN. When
your env is ready to go, do changes and run ant test and paste your test results (not increasing
new failures or warnings) in JIRA. The committer will review your patch based on your changes
and result. I think this is current branch-1 process.

> Site Scripting and Phishing Through Frames in browseDirectory.jsp
> -----------------------------------------------------------------
>
>                 Key: HDFS-4901
>                 URL: https://issues.apache.org/jira/browse/HDFS-4901
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security, webhdfs
>    Affects Versions: 1.2.1
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Vivek Ganesan
>            Priority: Blocker
>         Attachments: HDFS-4901.patch, HDFS-4901.patch.1
>
>   Original Estimate: 24h
>          Time Spent: 24h
>  Remaining Estimate: 0h
>
> It is possible to steal or manipulate customer session and cookies, which might be used
to impersonate a legitimate user,
> allowing the hacker to view or alter user records, and to perform transactions as that
user.
> e.g.
> GET /browseDirectory.jsp? dir=%2Fhadoop'"/><script>alert(759)</script>
&namenodeInfoPort=50070
> Also;
> Phishing Through Frames
> Try:
> GET /browseDirectory.jsp? dir=%2Fhadoop%27%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fdemo.testfire.net%2Fphishing.html%3E
> &namenodeInfoPort=50070 HTTP/1.1
> Cookie: JSESSIONID=qd9i8tuccuam1cme71swr9nfi
> Accept-Language: en-US
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message