You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "Haohui Mai (JIRA)" <ji...@apache.org> on 2014/12/10 06:17:12 UTC

[jira] [Created] (HADOOP-11385) Cross site scripting attack on JMXJSONServlet

Haohui Mai created HADOOP-11385:
-----------------------------------

             Summary: Cross site scripting attack on JMXJSONServlet
                 Key: HADOOP-11385
                 URL: https://issues.apache.org/jira/browse/HADOOP-11385
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Haohui Mai
            Assignee: Haohui Mai
            Priority: Critical


JMXJSONServlet allows passing a callback parameter in the JMX response, which is introduced in HADOOP-8922:

{code}
        // "callback" parameter implies JSONP outpout
        jsonpcb = request.getParameter(CALLBACK_PARAM);
        if (jsonpcb != null) {
          response.setContentType("application/javascript; charset=utf8");
          writer.write(jsonpcb + "(");
        } else {
          response.setContentType("application/json; charset=utf8");
        }
{code}

The code writes the callback parameter directly to the output, allowing cross-site scripting attack. This vulnerability allows the attacker easily stealing the credential of the user on the browser.

The original use case can be supported using Cross-origin resource sharing (CORS), which is used by the current NN web UI.

This jira proposes to move JMXJSONServlet to CORS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)