You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Haohui Mai (JIRA)" <ji...@apache.org> on 2014/10/11 02:20:34 UTC

[jira] [Resolved] (HDFS-6684) HDFS NN and DN JSP pages do not check for script injection.

     [ https://issues.apache.org/jira/browse/HDFS-6684?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Haohui Mai resolved HDFS-6684.
------------------------------
    Resolution: Not a Problem

This is no longer an issue after HDFS-6252 is merged into branch-2.

> HDFS NN and DN JSP pages do not check for script injection.
> -----------------------------------------------------------
>
>                 Key: HDFS-6684
>                 URL: https://issues.apache.org/jira/browse/HDFS-6684
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.1.0-beta, 2.2.0, 2.3.0, 2.4.1
>            Reporter: Jinghui Wang
>            Assignee: Jinghui Wang
>         Attachments: HDFS-6684.patch
>
>
> Datanode's browseDirectory.jsp is not filtering script injection, able to inject a script with dir parameter using dir=/hadoop'\"/><script>alert(759)</script>.
> NameNode's dfsnodelist.sjp is not filtering script injection either. Able to set the sorter/order parameter to "DSC%20onMouseOver=alert(959)//".



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)