You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Haohui Mai (JIRA)" <ji...@apache.org> on 2014/12/10 06:17:12 UTC
[jira] [Created] (HADOOP-11385) Cross site scripting attack on
JMXJSONServlet
Haohui Mai created HADOOP-11385:
-----------------------------------
Summary: Cross site scripting attack on JMXJSONServlet
Key: HADOOP-11385
URL: https://issues.apache.org/jira/browse/HADOOP-11385
Project: Hadoop Common
Issue Type: Bug
Reporter: Haohui Mai
Assignee: Haohui Mai
Priority: Critical
JMXJSONServlet allows passing a callback parameter in the JMX response, which is introduced in HADOOP-8922:
{code}
// "callback" parameter implies JSONP outpout
jsonpcb = request.getParameter(CALLBACK_PARAM);
if (jsonpcb != null) {
response.setContentType("application/javascript; charset=utf8");
writer.write(jsonpcb + "(");
} else {
response.setContentType("application/json; charset=utf8");
}
{code}
The code writes the callback parameter directly to the output, allowing cross-site scripting attack. This vulnerability allows the attacker easily stealing the credential of the user on the browser.
The original use case can be supported using Cross-origin resource sharing (CORS), which is used by the current NN web UI.
This jira proposes to move JMXJSONServlet to CORS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)