andy zhou created HBASE-20339:
---------------------------------
Summary: A potential security issue in
org.apache.hadoop.hbase.http.log.LogLevel.java
Key: HBASE-20339
URL: https://issues.apache.org/jira/browse/HBASE-20339
Project: HBase
Issue Type: Bug
Components: hbase
Affects Versions: 2.0.0-beta-2
Reporter: andy zhou
Our program analyzer have detected a potential security issue as follows
{code:java}
PrintWriter out = ServletUtil.initHTML(response, "Log Level");
String logName = ServletUtil.getParameter(request, "log");
String level = ServletUtil.getParameter(request, "level");
if (logName != null) {
out.println("<br /><hr /><h3>Results</h3>");
out.println(MARKER
+ "Submitted Log Name: <b>" + logName + "</b><br />");
...
}{code}
Above is the code piece. Seems that the log name is directly collected from the
web request, and only whether the data is null is checked. So an attacker may
provide a logName with a piece of injected code leading to cross-site attacks.
And besides, the variable "level" may also have such vulnerability.
(org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
Linkage to the code is here:
https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111
SourceBrella inc.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
