[jira] [Commented] (AMBARI-24509) Security vulnerabilities with Hive view (XSS)

Thu, 23 Aug 2018 04:29:12 -0700 


    [ 
https://issues.apache.org/jira/browse/AMBARI-24509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16590103#comment-16590103
 ] 

Hudson commented on AMBARI-24509:
---------------------------------

FAILURE: Integrated in Jenkins build Ambari-branch-2.6 #697 (See 
[https://builds.apache.org/job/Ambari-branch-2.6/697/])
AMBARI-24509 : Security vulnerabilities with Hive view (XSS) (github: 
[https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=64551dfc719bbd49dd7b7791b7cb700121709a88])
* (edit) 
contrib/views/hive20/src/main/resources/ui/app/components/create-table.js
* (edit) 
contrib/views/hive20/src/main/resources/ui/app/templates/components/alert-message.hbs
* (edit) 
contrib/views/hive20/src/main/resources/ui/app/templates/components/create-table.hbs
* (edit) contrib/views/hive20/src/main/resources/ui/package.json
* (edit) contrib/views/hive20/src/main/resources/ui/yarn.lock
* (edit) 
contrib/views/hive20/src/main/resources/ui/app/templates/components/column-item.hbs
* (edit) 
contrib/views/hive20/src/main/resources/ui/app/components/column-item.js


> Security vulnerabilities with Hive view (XSS)
> ---------------------------------------------
>
>                 Key: AMBARI-24509
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24509
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-views
>    Affects Versions: 2.6.0
>            Reporter: Nitiraj Singh Rathore
>            Assignee: Nitiraj Singh Rathore
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.6.2
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> It is possible for an attacker to steal information or access from users by 
> executing malicious javascript. This is possible due to hive directly taking 
> data/information from events and directly populating messages, this includes 
> directly inserting data that contains html or javascript code. Leveraging 
> this one user could create a malicious message to steal access or information 
> of another user. Upon viewing the malicious message the vicitim would be 
> comprimised by directly scraping any information on the page, modify its 
> appearence, or having their session information stolen.
> Bug reproduce steps:
> 1. go to Hive view from Ambari
> 2. click on 'Tables' and click on '+' to create a new table
> 3. In the table name input: '"<img src=x onerror=alert(document.domain)>"' 
> and add a column with name <img src=x onerror=alert(document.domain)> and 
> datatype TINYINT and click on create
> 4. There is a javascript popup showing the document name and domain name



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to