You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "andy zhou (JIRA)" <ji...@apache.org> on 2018/04/04 06:33:00 UTC
[jira] [Updated] (HBASE-20339) A potential security issue in
org.apache.hadoop.hbase.http.log.LogLevel.java
[ https://issues.apache.org/jira/browse/HBASE-20339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
andy zhou updated HBASE-20339:
------------------------------
Description:
Our program analyzer has detected a potential security issue as follows
{code:java}
PrintWriter out = ServletUtil.initHTML(response, "Log Level");
String logName = ServletUtil.getParameter(request, "log");
String level = ServletUtil.getParameter(request, "level");
if (logName != null) {
out.println("<br /><hr /><h3>Results</h3>");
out.println(MARKER
+ "Submitted Log Name: <b>" + logName + "</b><br />");
...
}{code}
Above is the code piece. Seems that the log name is directly collected from the web request, and only whether the data is null is checked. So an attacker may provide a "logName" with a piece of injected code, leading to cross-site attacks. And besides, the variable "level" may also have such vulnerability.
(org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
Linkage to the code is here:
[https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111]
SourceBrella inc.
was:
Our program analyzer have detected a potential security issue as follows
{code:java}
PrintWriter out = ServletUtil.initHTML(response, "Log Level");
String logName = ServletUtil.getParameter(request, "log");
String level = ServletUtil.getParameter(request, "level");
if (logName != null) {
out.println("<br /><hr /><h3>Results</h3>");
out.println(MARKER
+ "Submitted Log Name: <b>" + logName + "</b><br />");
...
}{code}
Above is the code piece. Seems that the log name is directly collected from the web request, and only whether the data is null is checked. So an attacker may provide a logName with a piece of injected code leading to cross-site attacks. And besides, the variable "level" may also have such vulnerability.
(org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
Linkage to the code is here:
https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111
SourceBrella inc.
> A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java
> ----------------------------------------------------------------------------
>
> Key: HBASE-20339
> URL: https://issues.apache.org/jira/browse/HBASE-20339
> Project: HBase
> Issue Type: Bug
> Components: hbase
> Affects Versions: 2.0.0-beta-2
> Reporter: andy zhou
> Priority: Major
>
> Our program analyzer has detected a potential security issue as follows
> {code:java}
> PrintWriter out = ServletUtil.initHTML(response, "Log Level");
> String logName = ServletUtil.getParameter(request, "log");
> String level = ServletUtil.getParameter(request, "level");
> if (logName != null) {
> out.println("<br /><hr /><h3>Results</h3>");
> out.println(MARKER
> + "Submitted Log Name: <b>" + logName + "</b><br />");
> ...
> }{code}
> Above is the code piece. Seems that the log name is directly collected from the web request, and only whether the data is null is checked. So an attacker may provide a "logName" with a piece of injected code, leading to cross-site attacks. And besides, the variable "level" may also have such vulnerability.
>
> (org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
> Linkage to the code is here:
> [https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111]
>
> SourceBrella inc.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)