You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Haohui Mai (JIRA)" <ji...@apache.org> on 2014/10/11 02:20:34 UTC
[jira] [Resolved] (HDFS-6684) HDFS NN and DN JSP pages do not check
for script injection.
[ https://issues.apache.org/jira/browse/HDFS-6684?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Haohui Mai resolved HDFS-6684.
------------------------------
Resolution: Not a Problem
This is no longer an issue after HDFS-6252 is merged into branch-2.
> HDFS NN and DN JSP pages do not check for script injection.
> -----------------------------------------------------------
>
> Key: HDFS-6684
> URL: https://issues.apache.org/jira/browse/HDFS-6684
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.1.0-beta, 2.2.0, 2.3.0, 2.4.1
> Reporter: Jinghui Wang
> Assignee: Jinghui Wang
> Attachments: HDFS-6684.patch
>
>
> Datanode's browseDirectory.jsp is not filtering script injection, able to inject a script with dir parameter using dir=/hadoop'\"/><script>alert(759)</script>.
> NameNode's dfsnodelist.sjp is not filtering script injection either. Able to set the sorter/order parameter to "DSC%20onMouseOver=alert(959)//".
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)