[jira] [Commented] (DRILL-5766) Stored XSS in APACHE DRILL

Thu, 07 Sep 2017 04:36:16 -0700 

    [ 
https://issues.apache.org/jira/browse/DRILL-5766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16156831#comment-16156831
 ] 

Arina Ielchiieva commented on DRILL-5766:
-----------------------------------------

When user was submitting {{<script>alert(document.cookie)</script>}} from query 
page, this value was included in error page and in profile page and since html 
specific characters were not escaped, script was executed. In some places in 
Drill we have escaped such characters using freemarker function 
{{[html|http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_html]}} 
but you need to put in everywhere on freemarker page where you expect such 
output. In newer freemarker versions {{html}} function is deprecated instead 
recommended to use [auto-escaping 
mechanism|http://freemarker.org/docs/dgui_misc_autoescaping.html] where you 
don't need to specify selectively where to escape specific characters but 
escape them by default and when you don't need to escape you can use {{no_esc}} 
function. I suggest we upgrade to newer freemarker version - 2.3.26-incubating 
and use auto-escaping mechanism to prevent XSS vulnerabilities.

> Stored XSS in APACHE DRILL
> --------------------------
>
>                 Key: DRILL-5766
>                 URL: https://issues.apache.org/jira/browse/DRILL-5766
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Functions - Drill
>    Affects Versions: 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0
>         Environment: Apache drill installed in debian system
>            Reporter: Sanjog Panda
>            Assignee: Arina Ielchiieva
>            Priority: Critical
>              Labels: cross-site-scripting, security, security-issue, xss
>             Fix For: 1.12.0
>
>         Attachments: XSS - Sink.png, XSS - Source.png
>
>
> Hello Apache security team,
> I have been testing an application which internally uses the Apache drill 
> software v 1.6 as of now.
> I found XSS on profile page (sink) where in the user's malicious input comes 
> from the Query page (source) where you run a query. 
> Affected URL : https://localhost:8047/profiles 
> Once the user give the below payload and load the profile page, it gets 
> triggered and is stored.
> I have attached the screenshot of payload 
> <script>alert(document.cookie)</script>.
> *[screenshot link]
> *
> https://drive.google.com/file/d/0B8giJ3591fvUbm5JZWtjUTg3WmEwYmJQeWd6dURuV0gzOVd3/view?usp=sharing
> https://drive.google.com/file/d/0B8giJ3591fvUV2lJRzZWOWRGNzN5S0JzdVlXSG1iNnVwRlAw/view?usp=sharing
>  



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to