[
https://issues.apache.org/jira/browse/AMBARI-24509?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nitiraj Singh Rathore resolved AMBARI-24509.
--------------------------------------------
Resolution: Fixed
UI will not accept input with javascript in its text.
> Security vulnerabilities with Hive view (XSS)
> ---------------------------------------------
>
> Key: AMBARI-24509
> URL: https://issues.apache.org/jira/browse/AMBARI-24509
> Project: Ambari
> Issue Type: Bug
> Components: ambari-views
> Affects Versions: 2.6.0
> Reporter: Nitiraj Singh Rathore
> Assignee: Nitiraj Singh Rathore
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.6.2
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> It is possible for an attacker to steal information or access from users by
> executing malicious javascript. This is possible due to hive directly taking
> data/information from events and directly populating messages, this includes
> directly inserting data that contains html or javascript code. Leveraging
> this one user could create a malicious message to steal access or information
> of another user. Upon viewing the malicious message the vicitim would be
> comprimised by directly scraping any information on the page, modify its
> appearence, or having their session information stolen.
> Bug reproduce steps:
> 1. go to Hive view from Ambari
> 2. click on 'Tables' and click on '+' to create a new table
> 3. In the table name input: '"<img src=x onerror=alert(document.domain)>"'
> and add a column with name <img src=x onerror=alert(document.domain)> and
> datatype TINYINT and click on create
> 4. There is a javascript popup showing the document name and domain name
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
