[
https://issues.apache.org/jira/browse/RANGER-284?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gautam Borad updated RANGER-284:
--------------------------------
Attachment: RANGER-284-Escape-HTML-before-displaying-to-prevent-.patch
> Sanitize User Data to prevent XSS - Security Vulnerability
> ----------------------------------------------------------
>
> Key: RANGER-284
> URL: https://issues.apache.org/jira/browse/RANGER-284
> Project: Ranger
> Issue Type: Bug
> Affects Versions: 0.4.0
> Reporter: Gautam Borad
> Assignee: Gautam Borad
> Fix For: 0.5.0
>
> Attachments:
> RANGER-284-Escape-HTML-before-displaying-to-prevent-.patch
>
>
> *Steps to reproduce*
> * Set user agent to something like this - "Mozilla/4.0 (compatible; MSIE 6.0;
> Windows NT 5.0) <script>alert(1);</script>"
> * Try to login to policy admin with an incorrect username/password
> * Now login as admin user
> * Go to Audit tab --> Login Sessions
> * You will notice the failed logins displayed
> * Click on the failed login session id
> * Click Login sessions
> * You will notice a Javascript popup alert (entered in the user agent)
> *Expected Result*
> Unauthorized users should not be able to change the behavior of the
> application
> *Actual Result*
> Unauthorized users are able to put javascript code that can be executed in
> admin users context
> *Fix*
> Sanitize the user input data and any data comes from user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
