You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Andrii Babiichuk (JIRA)" <ji...@apache.org> on 2019/05/21 13:00:00 UTC

[jira] [Resolved] (AMBARI-25283) Ambari UI evaluates Javascript embedded in user input when adding hosts, adding remote clusters, and renaming the cluster

     [ https://issues.apache.org/jira/browse/AMBARI-25283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrii Babiichuk resolved AMBARI-25283.
---------------------------------------
    Resolution: Fixed

Merged to branch-2.7

> Ambari UI evaluates Javascript embedded in user input when adding hosts, adding remote clusters, and renaming the cluster
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-25283
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25283
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-admin
>    Affects Versions: 2.7.3
>            Reporter: Andrii Babiichuk
>            Assignee: Andrii Babiichuk
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.7.4
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> Ambari's UI evaluates Javascript blocks embedded in user input when adding hosts, adding remote clusters, and renaming the cluster.
> The script evaluation appears to occur before the data is submitted and saved to the Ambari database (if save at all).  Therefore, no XSS vulnerability needs to be reported since the scope of the threat is only to the interactive user at the instance the data is evaluated.
> *Add remote cluster steps to reproduce:*
> # Log into ambari and navigate to admin > Manage Ambari> Cluster Management>  Remote Cluster > Register Remote Cluster
> # Enter malicious script in Ambari Cluster URL textbox and click on save. The output of XSS is reflected. 
> *Add hosts steps to reproduce:*
> # Log into ambari and navigate to Hosts> Actions>  Add New Hosts
> # Enter malicious script in Target Hosts textbox and click on save. The output of XSS is reflected
> *Edit cluster name steps to reproduce:*
> # Log into ambari and navigate to admin > Manage Ambari> Cluster Management>  Cluster Information
> # Enter malicious script in Cluster Name textbox. The output of XSS is reflected



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)