You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "andy zhou (JIRA)" <ji...@apache.org> on 2018/04/04 06:31:00 UTC

[jira] [Created] (HBASE-20339) A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java

andy zhou created HBASE-20339:
---------------------------------

             Summary: A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java
                 Key: HBASE-20339
                 URL: https://issues.apache.org/jira/browse/HBASE-20339
             Project: HBase
          Issue Type: Bug
          Components: hbase
    Affects Versions: 2.0.0-beta-2
            Reporter: andy zhou


Our program analyzer have detected a potential security issue as follows 
{code:java}
PrintWriter out = ServletUtil.initHTML(response, "Log Level");
String logName = ServletUtil.getParameter(request, "log");
String level = ServletUtil.getParameter(request, "level");

if (logName != null) {
   out.println("<br /><hr /><h3>Results</h3>");
   out.println(MARKER
        + "Submitted Log Name: <b>" + logName + "</b><br />");
  ...
}{code}
Above is the code piece. Seems that the log name is directly collected from the web request, and only whether the data is null is checked. So an attacker may provide a logName with a piece of injected code leading to cross-site attacks. And besides, the variable "level" may also have such vulnerability.

 

(org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)

Linkage to the code is here:

https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111

 

SourceBrella inc.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)