Ambari XSS vulnerability?

[Mark Kerzner <ma...@elephantscale.com>]

Hi, all,

I think we have found this vulnerability, and it belongs to Ambari.

To reproduce:

1. Edit Flume configuration in Ambari
2. When adding a note, input a simple XSS script
3. Observe a dialog popup, annoyingly, three times, and then again.

I have not found a way to clean it up as yet.

Thank you,
Mark

-- 
Mark Kerzner, Managing Partner, Elephant Scale <http://elephantscale.com/>
Mobile: 713-724-2534, Skype: mark.kerzner1
https://www.linkedin.com/in/markkerzner
To schedule a meeting with me: http://www.meetme.so/markkerzner

RE: Ambari XSS vulnerability?

[Myroslav Papyrkovskyy <mp...@hortonworks.com>]

Hello, Mark.
Unfortunately, i don't think theres way to clean it up.
Note is stored as is on server side, and theres no way to modify or remove it (except of modifying database directly), as it was designed to store history of changes.
Perhaps someone else may help with fixing this on UI side.

Can you create an issue for this? (https://issues.apache.org/jira/browse/AMBARI)

I'm sure this should be fixed as soon as possible.


--
Regards,
Myroslav Papirkovskyy
________________________________
Від: Mark Kerzner <ma...@elephantscale.com>
Надіслано: 1 червня 2015 р. 16:54
Кому: Ambari user
Тема: Ambari XSS vulnerability?

Hi, all,

I think we have found this vulnerability, and it belongs to Ambari.

To reproduce:

1. Edit Flume configuration in Ambari
2. When adding a note, input a simple XSS script
3. Observe a dialog popup, annoyingly, three times, and then again.

I have not found a way to clean it up as yet.

Thank you,
Mark

--
Mark Kerzner, Managing Partner, Elephant Scale<http://elephantscale.com/>
Mobile: 713-724-2534, Skype: mark.kerzner1
https://www.linkedin.com/in/markkerzner
To schedule a meeting with me: http://www.meetme.so/markkerzner