You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Krisztian Kasa (JIRA)" <ji...@apache.org> on 2019/05/21 06:40:00 UTC

[jira] [Created] (AMBARI-25280) Improper error handling when managing Ambari users

Krisztian Kasa created AMBARI-25280:
---------------------------------------

             Summary: Improper error handling when managing Ambari users
                 Key: AMBARI-25280
                 URL: https://issues.apache.org/jira/browse/AMBARI-25280
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.6.2
            Reporter: Krisztian Kasa
            Assignee: Krisztian Kasa


The application does not handle the error properly and reveals internal class names in the error
message as shown in the below HTTP Request and Response. This happens when an admin user
tries to add an LDAP user that doesn't exist to a group.

HTTP Request:
{code}
PUT /api/v1/groups/csrf%20test/members HTTP/1.1
Host: xyz601:8080
Content-Length: 69
Accept: application/json, text/plain, */*
Origin: http://xyz601:8080
X-Requested-By: ambari
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/70.0.3538.102 Safari/537.36
Content-Type: plain/text
Referer: http://xyz601:8080/views/ADMIN_VIEW/2.6.2.2/INSTANCE/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: AMBARISESSIONID=nd54akraeumr1cmnz0gazantv
Connection: close
[{"MemberInfo/user_name":"test","MemberInfo/group_name":"csrf test"}]
{code}
HTTP Response:
{code}
HTTP/1.1 500 Internal Server Error
X-Frame-Options: DENY
Severity: Low
Status: New
Ease of Exploit: Easy
Classification: Improper Output Handling
Hadoop refresh (Break Glass) - UMF Visa Restricted 32
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-store
Pragma: no-cache
User: hitepate
Content-Type: text/plain
Connection: close
{
"status" : 500,
"message" : "org.apache.ambari.server.controller.spi.SystemException: An internal
system exception occurred: User test doesn't exist"
}
{code}

*Remediation Recommendations*
When errors occur, the site should respond with a specifically designed result that is helpful to the
user without revealing unnecessary internal details.




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)