[ https://issues.apache.org/jira/browse/HDDS-2111?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nanda kumar updated HDDS-2111: ------------------------------ Fix Version/s: 0.4.1 > XSS fragments can be injected to the S3g landing page > ------------------------------------------------------- > > Key: HDDS-2111 > URL: https://issues.apache.org/jira/browse/HDDS-2111 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: S3 > Reporter: Aayush > Assignee: Elek, Marton > Priority: Major > Labels: pull-request-available > Fix For: 0.4.1, 0.5.0 > > Time Spent: 50m > Remaining Estimate: 0h > > VULNERABILITY DETAILS > There is a way to bypass anti-XSS filter for DOM XSS exploiting a > "window.location.href". > Considering a typical URL: > scheme://domain:port/path?query_string#fragment_id > Browsers encode correctly both "path" and "query_string", but not the > "fragment_id". > So if used "fragment_id" the vector is also not logged on Web Server. > VERSION > Chrome Version: 10.0.648.134 (Official Build 77917) beta > REPRODUCTION CASE > This is an index.html page: > {code:java} > aws s3api --endpoint > <script>document.write(window.location.href.replace("static/", ""))</script> > create-bucket --bucket=wordcount</pre> > {code} > The attack vector is: > index.html?#<script>alert('XSS');</script> > * PoC: > For your convenience, a minimalist PoC is located on: > http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script> > * References > - DOM Based Cross-Site Scripting or XSS of the Third Kind - > http://www.webappsec.org/projects/articles/071105.shtml > reference:- > https://bugs.chromium.org/p/chromium/issues/detail?id=76796 -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org