You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "amarnath reddy pappu (JIRA)" <ji...@apache.org> on 2018/09/12 16:31:00 UTC

[jira] [Created] (AMBARI-24628) Fix possible "Phishing by Navigating Browser Tabs" vulnerability

amarnath reddy pappu created AMBARI-24628:
---------------------------------------------

             Summary: Fix possible "Phishing by Navigating Browser Tabs" vulnerability
                 Key: AMBARI-24628
                 URL: https://issues.apache.org/jira/browse/AMBARI-24628
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: trunk, 2.6.2
            Reporter: amarnath reddy pappu


According to details found at https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/phishing-by-navigating-browser-tabs/, it is possible to change the "window.opener.location" value in browser windows opened using normal anchor tags where the "target" attribute is specified as "_blank".

This gives an attacker the ability to change the parent location and thus potentially allow for a phishing attack to invoked.

To help this situation, it is suggested that the following attribute be set along with the "target" attribute:


{noformat}
rel="noopener noreferrer"
{noformat}

For example:


{noformat}
<a href="..." target="_blank" rel="noopener noreferrer">...</a>
{noformat}




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)