[jira] [Commented] (HDFS-6684) HDFS NN and DN JSP pages do not check for script injection.

Jinghui Wang (JIRA) Tue, 15 Jul 2014 10:57:41 -0700

    [ 
https://issues.apache.org/jira/browse/HDFS-6684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14062406#comment-14062406
 ]


Jinghui Wang commented on HDFS-6684:
------------------------------------

Patch attached.

> HDFS NN and DN JSP pages do not check for script injection.
> -----------------------------------------------------------
>
>                 Key: HDFS-6684
>                 URL: https://issues.apache.org/jira/browse/HDFS-6684
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 2.1.0-beta, 2.2.0, 2.3.0, 2.4.1
>            Reporter: Jinghui Wang
>            Assignee: Jinghui Wang
>         Attachments: HDFS-6684.patch
>
>
> Datanode's browseDirectory.jsp is not filtering script injection, able to 
> inject a script with dir parameter using 
> dir=/hadoop'\"/><script>alert(759)</script>.
> NameNode's dfsnodelist.sjp is not filtering script injection either. Able to 
> set the sorter/order parameter to "DSC%20onMouseOver=alert(959)//".



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (HDFS-6684) HDFS NN and DN JSP pages do not check for script injection.

Reply via email to