[jira] [Comment Edited] (STORM-408) Cross-Site Scripting security vulnerability

[Parth Brahmbhatt (JIRA)]

    [ 
https://issues.apache.org/jira/browse/STORM-408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14097614#comment-14097614
 ] 

Parth Brahmbhatt edited comment on STORM-408 at 8/14/14 8:41 PM:
-----------------------------------------------------------------

According to https://github.com/janl/mustache.js/ when we use {{ unsafe data }} 
the content is assumed to be unsafe and escaped by mustache. All storm mustache 
template uses {{unsafe data}} so all the user entered content is treated as 
unsafe. I tried replicating your example and even though the script is rendered 
, the browser indeed does not run the alert as it is already escaped. If I 
change the template from unsafe {{unsafe data}} to safe {{{safe data}}} tag 
then the alert pops up. 

Let me know if you still think storm ui has this vulnerability. Otherwise , 
please confirm here that the vulnerability does not exist so someone can 
resolve this JIRA.


was (Author: parth.brahmbhatt):
According to https://github.com/janl/mustache.js/ when we use {{}} the content 
is assumed to be unsafe and escaped by mustache. All storm mustache template 
uses {{}} so all the user entered content is treated as unsafe. I tried 
replicating your example and even though the script is rendered , the browser 
indeed does not run the alert as it is already escaped. If I change the 
template from unsafe {{unsafe data}} to safe {{{safe data}}} tag then the alert 
pops up. 

Let me know if you still think storm ui has this vulnerability. Otherwise , 
please confirm here that the vulnerability does not exist so someone can 
resolve this JIRA.

> Cross-Site Scripting security vulnerability
> -------------------------------------------
>
>                 Key: STORM-408
>                 URL: https://issues.apache.org/jira/browse/STORM-408
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>    Affects Versions: 0.9.3-incubating
>         Environment: Java
>            Reporter: Anand Krishnan
>              Labels: security
>             Fix For: 0.9.3-incubating, feature-security
>
>
> There are Cross-Site Scripting security vulnerabilities in Apache Storm.
> The risk is that it is possible to steal or manipulate customer session and 
> cookies, which might be used to impersonate a legitimate user, allowing the 
> hacker to view or alter user records, and to perform transactions as that 
> user.
> The reason is that sanitation of hazardous characters was not performed 
> correctly on user input.



--
This message was sent by Atlassian JIRA
(v6.2#6252)