[
https://issues.apache.org/jira/browse/HBASE-20339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
andy zhou updated HBASE-20339:
------------------------------
Description:
Our program analyzer has detected a potential security issue as follows
{code:java}
PrintWriter out = ServletUtil.initHTML(response, "Log Level");
String logName = ServletUtil.getParameter(request, "log");
String level = ServletUtil.getParameter(request, "level");
if (logName != null) {
out.println("<br /><hr /><h3>Results</h3>");
out.println(MARKER
+ "Submitted Log Name: <b>" + logName + "</b><br />");
...
}{code}
Above is the code piece. Seems that the log name is directly collected from the
web request, and only whether the data is null is checked. So an attacker may
provide a "logName" with a piece of injected code, leading to cross-site
attacks. And besides, the variable "level" may also have such vulnerability.
(org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
Linkage to the code is here:
[https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111]
SourceBrella inc.
was:
Our program analyzer have detected a potential security issue as follows
{code:java}
PrintWriter out = ServletUtil.initHTML(response, "Log Level");
String logName = ServletUtil.getParameter(request, "log");
String level = ServletUtil.getParameter(request, "level");
if (logName != null) {
out.println("<br /><hr /><h3>Results</h3>");
out.println(MARKER
+ "Submitted Log Name: <b>" + logName + "</b><br />");
...
}{code}
Above is the code piece. Seems that the log name is directly collected from the
web request, and only whether the data is null is checked. So an attacker may
provide a logName with a piece of injected code leading to cross-site attacks.
And besides, the variable "level" may also have such vulnerability.
(org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
Linkage to the code is here:
https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111
SourceBrella inc.
> A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java
> ----------------------------------------------------------------------------
>
> Key: HBASE-20339
> URL: https://issues.apache.org/jira/browse/HBASE-20339
> Project: HBase
> Issue Type: Bug
> Components: hbase
> Affects Versions: 2.0.0-beta-2
> Reporter: andy zhou
> Priority: Major
>
> Our program analyzer has detected a potential security issue as follows
> {code:java}
> PrintWriter out = ServletUtil.initHTML(response, "Log Level");
> String logName = ServletUtil.getParameter(request, "log");
> String level = ServletUtil.getParameter(request, "level");
> if (logName != null) {
> out.println("<br /><hr /><h3>Results</h3>");
> out.println(MARKER
> + "Submitted Log Name: <b>" + logName + "</b><br />");
> ...
> }{code}
> Above is the code piece. Seems that the log name is directly collected from
> the web request, and only whether the data is null is checked. So an attacker
> may provide a "logName" with a piece of injected code, leading to cross-site
> attacks. And besides, the variable "level" may also have such vulnerability.
>
> (org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
> Linkage to the code is here:
> [https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111]
>
> SourceBrella inc.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
