[
https://issues.apache.org/jira/browse/HADOOP-12964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15238095#comment-15238095
]
Hudson commented on HADOOP-12964:
---------------------------------
FAILURE: Integrated in Hadoop-trunk-Commit #9600 (See
[https://builds.apache.org/job/Hadoop-trunk-Commit/9600/])
HADOOP-12964. Http server vulnerable to clickjacking (haibochen via (rkanter:
rev 042a3ae960883c263adc76f16d0ea3438d8b12be)
*
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
*
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java
> Http server vulnerable to clickjacking
> ---------------------------------------
>
> Key: HADOOP-12964
> URL: https://issues.apache.org/jira/browse/HADOOP-12964
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Haibo Chen
> Assignee: Haibo Chen
> Attachments: hadoop-12964.001.patch, hadoop-12964.002.patch,
> hadoop-12964.003.patch
>
>
> Nessus report shows a medium level issue that "Web Application Potentially
> Vulnerable to Clickjacking" with the description as follows:
> "The remote web server does not set an X-Frame-Options response header in all
> content responses. This could potentially expose the site to a clickjacking
> or UI Redress attack wherein an attacker can trick a user into clicking an
> area of the vulnerable page that is different than what the user perceives
> the page to be. This can result in a user performing fraudulent or malicious
> transactions"
> We could add X-Frame-Options, supported in all major browsers, in the Http
> response header to mitigate the issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
