[jira] [Assigned] (AMBARI-24420) XSS in Ambari Add Host Wizard

Robert Levas (JIRA) Wed, 21 Nov 2018 05:33:10 -0800


     [ 
https://issues.apache.org/jira/browse/AMBARI-24420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Robert Levas reassigned AMBARI-24420:
-------------------------------------

    Assignee: Robert Levas

> XSS in Ambari Add Host Wizard
> -----------------------------
>
>                 Key: AMBARI-24420
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24420
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-client
>    Affects Versions: 2.7.1
>            Reporter: Julia
>            Assignee: Robert Levas
>            Priority: Critical
>
> It is possible for an attacker to steal information or access from users by 
> executing malicious JavaScript. This is possible due to the use of a 
> javascript "eval()" function when loading the SSH private key. Leveraging 
> this any malicious data in any file uploaded, not just private keys, would 
> execute. In the case of private keys, malicious script in the metadata of the 
> key would execute. An attacker could directly scrap and information on the 
> page, modify its appearance, or steal the users sessions information.
>  
> Repro:
>  
> +{color:#0066cc}[https://xxxxx.azurehdinsight.net/#/main/host/add/step1]{color}+
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/f65e2526-613e-4af7-910e-7a19a4376a6d?fileName=attachfilehandler.png!
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (AMBARI-24420) XSS in Ambari Add Host Wizard

Reply via email to