From hdfs-issues-return-283315-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Sat Sep 14 03:15:04 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id D60FF180652 for ; Sat, 14 Sep 2019 05:15:03 +0200 (CEST) Received: (qmail 34699 invoked by uid 500); 14 Sep 2019 03:15:02 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 34674 invoked by uid 99); 14 Sep 2019 03:15:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 14 Sep 2019 03:15:01 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id A9923E0F34 for ; Sat, 14 Sep 2019 03:15:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 19FF07804E1 for ; Sat, 14 Sep 2019 03:15:00 +0000 (UTC) Date: Sat, 14 Sep 2019 03:15:00 +0000 (UTC) From: "Elek, Marton (Jira)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Assigned] (HDDS-2111) DOM XSS MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDDS-2111?page=3Dcom.atlassian= .jira.plugin.system.issuetabpanels:all-tabpanel ] Elek, Marton reassigned HDDS-2111: ---------------------------------- Assignee: Elek, Marton > DOM XSS > ------- > > Key: HDDS-2111 > URL: https://issues.apache.org/jira/browse/HDDS-2111 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: S3 > Reporter: Aayush > Assignee: Elek, Marton > Priority: Major > > VULNERABILITY DETAILS > There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window= .location.href". > Considering a typical URL: > scheme://domain:port/path?query_string#fragment_id > Browsers encode correctly both "path" and "query_string", but not the "fr= agment_id".=C2=A0 > So if used "fragment_id" the vector is also not logged on Web Server. > VERSION > Chrome Version: 10.0.648.134 (Official Build 77917) beta > REPRODUCTION CASE > This is an index.html page: > {code:java} > aws s3api --endpoint create-bucket --bucket=3Dwordcount > {code} > The attack vector is: > index.html?# > * PoC: > For your convenience, a minimalist PoC is located on: > http://security.onofri.org/xss_location.html?#