You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Krisztian Kasa (JIRA)" <ji...@apache.org> on 2019/05/21 06:40:00 UTC
[jira] [Created] (AMBARI-25280) Improper error handling when
managing Ambari users
Krisztian Kasa created AMBARI-25280:
---------------------------------------
Summary: Improper error handling when managing Ambari users
Key: AMBARI-25280
URL: https://issues.apache.org/jira/browse/AMBARI-25280
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.6.2
Reporter: Krisztian Kasa
Assignee: Krisztian Kasa
The application does not handle the error properly and reveals internal class names in the error
message as shown in the below HTTP Request and Response. This happens when an admin user
tries to add an LDAP user that doesn't exist to a group.
HTTP Request:
{code}
PUT /api/v1/groups/csrf%20test/members HTTP/1.1
Host: xyz601:8080
Content-Length: 69
Accept: application/json, text/plain, */*
Origin: http://xyz601:8080
X-Requested-By: ambari
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/70.0.3538.102 Safari/537.36
Content-Type: plain/text
Referer: http://xyz601:8080/views/ADMIN_VIEW/2.6.2.2/INSTANCE/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: AMBARISESSIONID=nd54akraeumr1cmnz0gazantv
Connection: close
[{"MemberInfo/user_name":"test","MemberInfo/group_name":"csrf test"}]
{code}
HTTP Response:
{code}
HTTP/1.1 500 Internal Server Error
X-Frame-Options: DENY
Severity: Low
Status: New
Ease of Exploit: Easy
Classification: Improper Output Handling
Hadoop refresh (Break Glass) - UMF Visa Restricted 32
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-store
Pragma: no-cache
User: hitepate
Content-Type: text/plain
Connection: close
{
"status" : 500,
"message" : "org.apache.ambari.server.controller.spi.SystemException: An internal
system exception occurred: User test doesn't exist"
}
{code}
*Remediation Recommendations*
When errors occur, the site should respond with a specifically designed result that is helpful to the
user without revealing unnecessary internal details.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)