Brahma Reddy Battula created HDFS-17942:
-------------------------------------------
Summary: Stored XSS in NameNode File Browser (explorer.js)
Key: HDFS-17942
URL: https://issues.apache.org/jira/browse/HDFS-17942
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Brahma Reddy Battula
Assignee: Brahma Reddy Battula
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.js:29 and :53
{code:java}
Error text returned from the server is injected into the DOM as HTML:
{code:javascript}
function show_err_msg(msg) {
$('#alert-panel-body').html(msg); // line 29 — HTML sink
}
...
var msg = '<p>' + jqxhr.responseJSON.RemoteException.message + "</p>"; //
line 53{code}
RemoteException.message (and other server-supplied strings routed through
show_err_msg) can contain attacker-influenced content — e.g. a file/path name
containing markup that surfaces in an exception message. Because it is inserted
via
.html(), embedded markup/script executes in the context of the NameNode web
UI (stored/reflected XSS), enabling session/UI compromise of operators browsing
HDFS.
*Proposed fix:* render user/server-supplied messages as text, not HTML — use
$('#alert-panel-body').text(msg) and pass the plain message string (drop the
'<p>'+ ... +'</p>' HTML wrapping). Audit other .html() sinks in the webapps for
the same
pattern.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]