[jira] [Commented] (AMBARI-24628) Fix possible "Phishing by Navigating Browser Tabs" vulnerability

Mon, 24 Sep 2018 13:04:14 -0700 


    [ 
https://issues.apache.org/jira/browse/AMBARI-24628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16626374#comment-16626374
 ] 

Hudson commented on AMBARI-24628:
---------------------------------

SUCCESS: Integrated in Jenkins build Ambari-logsearch-ga-test #2 (See 
[https://builds.apache.org/job/Ambari-logsearch-ga-test/2/])
AMBARI-24628. Fix possible "Phishing by Navigating Browser Tabs" 
(aleksandrkovalenko: 
[https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=8c9b50cdd4e091312277067bf4c142deb23c8f16])
* (edit) ambari-web/app/templates/common/host_progress_popup.hbs
* (edit) ambari-web/app/templates/main/alerts/definition_details.hbs
* (edit) ambari-web/app/templates/main/dashboard/widgets/hdfs_links.hbs
* (edit) ambari-web/app/templates/main/dashboard/widgets/yarn_links.hbs
* (edit) ambari-web/app/messages.js
* (edit) ambari-web/app/templates/main/dashboard/widgets/hbase_links.hbs
* (edit) ambari-web/app/templates/main/host/logs.hbs
* (edit) ambari-web/app/templates/common/modal_popups/log_tail_popup.hbs
* (edit) ambari-web/app/templates/main/service/info/summary.hbs
AMBARI-24628. Fix possible "Phishing by Navigating Browser Tabs" 
(aleksandrkovalenko: 
[https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=e3c3e34b317009d39a1e795c1c5c01767e69bbfb])
* (edit) ambari-web/app/templates/main/dashboard/widgets/hdfs_links.hbs


> Fix possible "Phishing by Navigating Browser Tabs" vulnerability
> ----------------------------------------------------------------
>
>                 Key: AMBARI-24628
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24628
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: trunk, 2.6.2
>            Reporter: amarnath reddy pappu
>            Assignee: Aleksandr Kovalenko
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.7.2
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> According to details found at 
> https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/phishing-by-navigating-browser-tabs/,
>  it is possible to change the "window.opener.location" value in browser 
> windows opened using normal anchor tags where the "target" attribute is 
> specified as "_blank".
> This gives an attacker the ability to change the parent location and thus 
> potentially allow for a phishing attack to invoked.
> To help this situation, it is suggested that the following attribute be set 
> along with the "target" attribute:
> {noformat}
> rel="noopener noreferrer"
> {noformat}
> For example:
> {noformat}
> <a href="..." target="_blank" rel="noopener noreferrer">...</a>
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to