[
https://issues.apache.org/jira/browse/OOZIE-3202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
YijieShen updated OOZIE-3202:
-----------------------------
Attachment: (was: image-2018-03-28-18-33-52-838.png)
> Oozie web console 'Custom Filter' can be attacked by XSS vulnerability
> -----------------------------------------------------------------------
>
> Key: OOZIE-3202
> URL: https://issues.apache.org/jira/browse/OOZIE-3202
> Project: Oozie
> Issue Type: Bug
> Components: workflow
> Affects Versions: 4.1.0, 4.0.1, 4.2.0, 4.3.0, 4.3.1
> Environment: {color:#666666}No sepcial environment is needed.
> {color}
> Reporter: YijieShen
> Priority: Major
> Attachments: image-2018-03-28-18-32-33-384.png,
> image-2018-03-28-18-32-53-630.png, image-2018-03-28-18-33-13-322.png,
> image-2018-03-28-18-34-17-974.png, image-2018-03-28-18-34-34-268.png
>
>
> Step1. Open oozie web console
> Step2. Click 'Custom Filter' and 'Custom Filter'(menu)
> !image-2018-03-28-18-32-33-384.png!
> Step3. Input something like '<img src=11 onerror=alert(1)>' into 'Filter
> text', then click 'OK'
> !image-2018-03-28-18-32-53-630.png!
> Then we get some problem:
> !image-2018-03-28-18-34-17-974.png!
> !image-2018-03-28-18-34-34-268.png!
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
