[
https://issues.apache.org/jira/browse/IMPALA-7859?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16692154#comment-16692154
]
bharath v commented on IMPALA-7859:
-----------------------------------
[~davidxdh] We don't construct a SQL query using the params from this endpoint.
So a SQL injection kinda attack is not possible AFAICT. However, it is
interesting that nessus scan flagged only this endpoint (among others) and we'd
like to understand why.
Does the report include any diagnostic information on what test URL was
constructed and what was expected/actual output etc?
> Nessus Scan find CGI Generic SQL Injection.
> -------------------------------------------
>
> Key: IMPALA-7859
> URL: https://issues.apache.org/jira/browse/IMPALA-7859
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Affects Versions: Impala 2.10.0
> Reporter: Donghui Xu
> Priority: Major
>
> The nessus scan report shows that the 25000 port and the 25020 port contain
> the risk of SQL injection, as follows:
> + The following resources may be vulnerable to blind SQL injection :
> + The 'object_type' parameter of the /catalog_object CGI :
> /catalog_object?object_name=_impala_builtins&object_type=DATABASEzz_impa
> la_builtins&object_type=DATABASEyy
> How can I solve this problem? Thanks.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
