[jira] [Created] (HDFS-6684) HDFS NN and DN JSP pages do not check for script injection.

Jinghui Wang (JIRA) Tue, 15 Jul 2014 10:55:47 -0700

Jinghui Wang created HDFS-6684:
----------------------------------

             Summary: HDFS NN and DN JSP pages do not check for script 
injection.
                 Key: HDFS-6684
                 URL: https://issues.apache.org/jira/browse/HDFS-6684
             Project: Hadoop HDFS
          Issue Type: Bug
    Affects Versions: 2.4.1, 2.3.0, 2.2.0, 2.1.0-beta
            Reporter: Jinghui Wang
            Assignee: Jinghui Wang



Datanode's browseDirectory.jsp is not filtering script injection, able to 
inject a script with dir parameter using 
dir=/hadoop'\"/><script>alert(759)</script>.

NameNode's dfsnodelist.sjp is not filtering script injection either. Able to 
set the sorter/order parameter to "DSC%20onMouseOver=alert(959)//".



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Created] (HDFS-6684) HDFS NN and DN JSP pages do not check for script injection.

Reply via email to