You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Julia (JIRA)" <ji...@apache.org> on 2018/08/08 01:48:00 UTC

[jira] [Updated] (AMBARI-24420) XSS in Ambari Add Host Wizard

     [ https://issues.apache.org/jira/browse/AMBARI-24420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Julia updated AMBARI-24420:
---------------------------
    Summary: XSS in Ambari Add Host Wizard  (was: Attacker can Stop all services)

> XSS in Ambari Add Host Wizard
> -----------------------------
>
>                 Key: AMBARI-24420
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24420
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-client
>    Affects Versions: 2.7.1
>            Reporter: Julia
>            Priority: Critical
>
> It is possible for an attacker to cause a denial of service situation for a cluster/user. By having a user simply load/visit a url, all the services on the cluster will be stopped. Not only will this interrupt service, but if the right urls are loaded in the correct order, services can be in a unrecoverable state. This is a example of configration changes are happening, and services are stopped before such changes are properly made, then the services will try to start in a bad configuration state. This is in addition to possible dataloss of any jobs happening at the time.
> Requests which can cause state changes should not be "GET" requests which can be abused in such a manner.
>  
> Repro steps:
>  
> Attacker can dos/interrupt your cluster by having you visit URL unknowingly
> [+{color:#0066cc}https://xxxxxxxxxxxxxxxx.azurehdinsight.net/#/main/services/highAvailability/JournalNode/manage/step4{color}+]
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/bbc264fe-d6f3-4f74-8a63-9e5a6fdff754?fileName=attachfilehandler%20%284%29.png!
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/50bd00ca-d219-4f07-8a22-ea58f9f3408d?fileName=attachfilehandler%20%285%29.png!
> also able to force a configuration change by visiting a url before the shutdown
> Force configuration change
> [+{color:#0066cc}https://xxxxxxxxxxxxxxxx.azurehdinsight.net/#/main/service/reassign/step4{color}+]
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/6b7ca029-cbf2-43dc-8eba-23992ba777dc?fileName=attachfilehandler%20%286%29.png!
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)