You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Krisztian Kasa (JIRA)" <ji...@apache.org> on 2019/05/23 10:55:00 UTC

[jira] [Resolved] (AMBARI-25280) Improper error handling when managing Ambari users

     [ https://issues.apache.org/jira/browse/AMBARI-25280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Krisztian Kasa resolved AMBARI-25280.
-------------------------------------
    Resolution: Fixed

> Improper error handling when managing Ambari users
> --------------------------------------------------
>
>                 Key: AMBARI-25280
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25280
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.3
>            Reporter: Krisztian Kasa
>            Assignee: Krisztian Kasa
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 2.7.4
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> The application does not handle the error properly and reveals internal class names in the error
> message as shown in the below HTTP Request and Response. This happens when an admin user
> tries to add an LDAP user that doesn't exist to a group.
> HTTP Request:
> {code}
> PUT /api/v1/groups/csrf%20test/members HTTP/1.1
> Host: xyz601:8080
> Content-Length: 69
> Accept: application/json, text/plain, */*
> Origin: http://xyz601:8080
> X-Requested-By: ambari
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
> like Gecko) Chrome/70.0.3538.102 Safari/537.36
> Content-Type: plain/text
> Referer: http://xyz601:8080/views/ADMIN_VIEW/2.6.2.2/INSTANCE/
> Accept-Encoding: gzip, deflate
> Accept-Language: en-US,en;q=0.9
> Cookie: AMBARISESSIONID=nd54akraeumr1cmnz0gazantv
> Connection: close
> [{"MemberInfo/user_name":"test","MemberInfo/group_name":"csrf test"}]
> {code}
> HTTP Response:
> {code}
> HTTP/1.1 500 Internal Server Error
> X-Frame-Options: DENY
> Severity: Low
> Status: New
> Ease of Exploit: Easy
> Classification: Improper Output Handling
> Hadoop refresh (Break Glass) - UMF Visa Restricted 32
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Cache-Control: no-store
> Pragma: no-cache
> User: hitepate
> Content-Type: text/plain
> Connection: close
> {
> "status" : 500,
> "message" : "org.apache.ambari.server.controller.spi.SystemException: An internal
> system exception occurred: User test doesn't exist"
> }
> {code}
> *Remediation Recommendations*
> When errors occur, the site should respond with a specifically designed result that is helpful to the
> user without revealing unnecessary internal details.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)