Brahma Reddy Battula created HDFS-17942:
-------------------------------------------

             Summary: Stored XSS in NameNode File Browser (explorer.js)
                 Key: HDFS-17942
                 URL: https://issues.apache.org/jira/browse/HDFS-17942
             Project: Hadoop HDFS
          Issue Type: Bug
            Reporter: Brahma Reddy Battula
            Assignee: Brahma Reddy Battula


hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.js:29 and :53
{code:java}
  Error text returned from the server is injected into the DOM as HTML:
  {code:javascript}
  function show_err_msg(msg) {
    $('#alert-panel-body').html(msg);     // line 29 — HTML sink
  }
  ...
  var msg = '<p>' + jqxhr.responseJSON.RemoteException.message + "</p>";  // 
line 53{code}
  RemoteException.message (and other server-supplied strings routed through 
show_err_msg) can contain attacker-influenced content — e.g. a file/path name 
containing markup that surfaces in an exception message. Because it is inserted 
via
  .html(), embedded markup/script executes in the context of the NameNode web 
UI (stored/reflected XSS), enabling session/UI compromise of operators browsing 
HDFS.

  *Proposed fix:* render user/server-supplied messages as text, not HTML — use 
$('#alert-panel-body').text(msg) and pass the plain message string (drop the 
'<p>'+ ... +'</p>' HTML wrapping). Audit other .html() sinks in the webapps for 
the same
  pattern.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to