You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "YijieShen (JIRA)" <ji...@apache.org> on 2018/03/28 10:37:00 UTC
[jira] [Created] (OOZIE-3202) Oozie web console 'Custom Filter' can
be attacked by XSS vulnerability
YijieShen created OOZIE-3202:
--------------------------------
Summary: Oozie web console 'Custom Filter' can be attacked by XSS vulnerability
Key: OOZIE-3202
URL: https://issues.apache.org/jira/browse/OOZIE-3202
Project: Oozie
Issue Type: Bug
Components: workflow
Affects Versions: 4.3.1, 4.3.0, 4.2.0, 4.0.1, 4.1.0
Environment: {color:#666666}No sepcial environment is needed.
{color}
Reporter: YijieShen
Attachments: image-2018-03-28-18-32-33-384.png, image-2018-03-28-18-32-53-630.png, image-2018-03-28-18-33-13-322.png, image-2018-03-28-18-33-52-838.png, image-2018-03-28-18-34-07-930.png, image-2018-03-28-18-34-17-974.png, image-2018-03-28-18-34-34-268.png
Step1. Open oozie web console
Step2. Click 'Custom Filter' and 'Custom Filter'(menu)
!image-2018-03-28-18-32-33-384.png!
Step3. Input something like '<img src=11 onerror=alert(1)>' into 'Filter text', then click 'OK'
!image-2018-03-28-18-32-53-630.png!
Then we get some problem:
!image-2018-03-28-18-34-17-974.png!
!image-2018-03-28-18-34-34-268.png!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)