Nitiraj Singh Rathore created AMBARI-24509:
----------------------------------------------
Summary: Security vulnerabilities with Hive view (XSS)
Key: AMBARI-24509
URL: https://issues.apache.org/jira/browse/AMBARI-24509
Project: Ambari
Issue Type: Bug
Components: ambari-views
Affects Versions: 2.6.0
Reporter: Nitiraj Singh Rathore
Assignee: Nitiraj Singh Rathore
Fix For: 2.6.2
It is possible for an attacker to steal information or access from users by
executing malicious javascript. This is possible due to hive directly taking
data/information from events and directly populating messages, this includes
directly inserting data that contains html or javascript code. Leveraging this
one user could create a malicious message to steal access or information of
another user. Upon viewing the malicious message the vicitim would be
comprimised by directly scraping any information on the page, modify its
appearence, or having their session information stolen.
Bug reproduce steps:
1. go to Hive view from Ambari
2. click on 'Tables' and click on '+' to create a new table
3. In the table name input: '"<img src=x onerror=alert(document.domain)>"' and
add a column with name <img src=x onerror=alert(document.domain)> and datatype
TINYINT and click on create
4. There is a javascript popup showing the document name and domain name
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
