elek opened a new pull request #1447: HDDS-2111. XSS fragments can be injected to the S3g landing page URL: https://github.com/apache/hadoop/pull/1447 VULNERABILITY DETAILS There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window.location.href". Considering a typical URL: scheme://domain:port/path?query_string#fragment_id Browsers encode correctly both "path" and "query_string", but not the "fragment_id". So if used "fragment_id" the vector is also not logged on Web Server. VERSION Chrome Version: 10.0.648.134 (Official Build 77917) beta REPRODUCTION CASE This is an index.html page: {code:java} aws s3api --endpoint <script>document.write(window.location.href.replace("static/", ""))</script> create-bucket --bucket=wordcount</pre> {code} The attack vector is: index.html?#<script>alert('XSS');</script> * PoC: For your convenience, a minimalist PoC is located on: http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script> * References - DOM Based Cross-Site Scripting or XSS of the Third Kind - http://www.webappsec.org/projects/articles/071105.shtml reference:- https://bugs.chromium.org/p/chromium/issues/detail?id=76796 See: https://issues.apache.org/jira/browse/HDDS-2111
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
