[jira] [Commented] (SPARK-18664) Don't respond to HTTP OPTIONS in HTTP-based UIs
[ https://issues.apache.org/jira/browse/SPARK-18664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711321#comment-15711321 ] Sean Owen commented on SPARK-18664: --- This doesn't describe any vulnerability though. > Don't respond to HTTP OPTIONS in HTTP-based UIs > --- > > Key: SPARK-18664 > URL: https://issues.apache.org/jira/browse/SPARK-18664 > Project: Spark > Issue Type: Improvement > Components: Web UI >Reporter: meiyoula >Priority: Minor > > This was flagged a while ago during a routine security scan(AWVS): the > HTTP-based Spark services respond to an HTTP OPTIONS command. > HTTP OPTIONS method is enabled on this web server. The OPTIONS method > provides a list of the methods that are supported by the web server, it > represents a request for information about the communication options > available on the request/response chain identified by the Request-URI. > The OPTIONS method may expose sensitive information that may help an > malicious user to prepare more advanced attacks. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-18664) Don't respond to HTTP OPTIONS in HTTP-based UIs
[ https://issues.apache.org/jira/browse/SPARK-18664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711307#comment-15711307 ] meiyoula commented on SPARK-18664: -- please refer to https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008) > Don't respond to HTTP OPTIONS in HTTP-based UIs > --- > > Key: SPARK-18664 > URL: https://issues.apache.org/jira/browse/SPARK-18664 > Project: Spark > Issue Type: Improvement > Components: Web UI >Reporter: meiyoula >Priority: Minor > > This was flagged a while ago during a routine security scan(AWVS): the > HTTP-based Spark services respond to an HTTP OPTIONS command. > HTTP OPTIONS method is enabled on this web server. The OPTIONS method > provides a list of the methods that are supported by the web server, it > represents a request for information about the communication options > available on the request/response chain identified by the Request-URI. > The OPTIONS method may expose sensitive information that may help an > malicious user to prepare more advanced attacks. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-18664) Don't respond to HTTP OPTIONS in HTTP-based UIs
[ https://issues.apache.org/jira/browse/SPARK-18664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15711294#comment-15711294 ] Sean Owen commented on SPARK-18664: --- What is the attack vector for OPTIONS? I don't see that as a security risk. At the same time I can't think of a reason anyone would need to call it. > Don't respond to HTTP OPTIONS in HTTP-based UIs > --- > > Key: SPARK-18664 > URL: https://issues.apache.org/jira/browse/SPARK-18664 > Project: Spark > Issue Type: Improvement > Components: Web UI >Reporter: meiyoula >Priority: Minor > > This was flagged a while ago during a routine security scan(AWVS): the > HTTP-based Spark services respond to an HTTP OPTIONS command. > HTTP OPTIONS method is enabled on this web server. The OPTIONS method > provides a list of the methods that are supported by the web server, it > represents a request for information about the communication options > available on the request/response chain identified by the Request-URI. > The OPTIONS method may expose sensitive information that may help an > malicious user to prepare more advanced attacks. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-18664) Don't respond to HTTP OPTIONS in HTTP-based UIs
[ https://issues.apache.org/jira/browse/SPARK-18664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15710591#comment-15710591 ] meiyoula commented on SPARK-18664: -- [~srowen] It is similar to SPARK-5983, should we fix it? > Don't respond to HTTP OPTIONS in HTTP-based UIs > --- > > Key: SPARK-18664 > URL: https://issues.apache.org/jira/browse/SPARK-18664 > Project: Spark > Issue Type: Improvement > Components: Web UI >Reporter: meiyoula >Priority: Minor > > This was flagged a while ago during a routine security scan(AWVS): the > HTTP-based Spark services respond to an HTTP OPTIONS command. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org