You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Gautam Borad (JIRA)" <ji...@apache.org> on 2015/03/12 19:56:38 UTC
[jira] [Updated] (RANGER-284) Replace "Agents" with "Plugins" in
Ranger Admin UI
[ https://issues.apache.org/jira/browse/RANGER-284?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gautam Borad updated RANGER-284:
--------------------------------
Summary: Replace "Agents" with "Plugins" in Ranger Admin UI (was: Sanitize User Data to prevent XSS - Security Vulnerability)
> Replace "Agents" with "Plugins" in Ranger Admin UI
> --------------------------------------------------
>
> Key: RANGER-284
> URL: https://issues.apache.org/jira/browse/RANGER-284
> Project: Ranger
> Issue Type: Bug
> Affects Versions: 0.4.0
> Reporter: Gautam Borad
> Assignee: Gautam Borad
> Fix For: 0.5.0
>
>
> *Steps to reproduce*
> * Set user agent to something like this - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) <script>alert(1);</script>"
> * Try to login to policy admin with an incorrect username/password
> * Now login as admin user
> * Go to Audit tab --> Login Sessions
> * You will notice the failed logins displayed
> * Click on the failed login session id
> * Click Login sessions
> * You will notice a Javascript popup alert (entered in the user agent)
> *Expected Result*
> Unauthorized users should not be able to change the behavior of the application
> *Actual Result*
> Unauthorized users are able to put javascript code that can be executed in admin users context
> *Fix*
> Sanitize the user input data and any data comes from user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)