[ https://issues.apache.org/jira/browse/HADOOP-11385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Haohui Mai updated HADOOP-11385: -------------------------------- Status: Patch Available (was: Open) > Cross site scripting attack on JMXJSONServlet > --------------------------------------------- > > Key: HADOOP-11385 > URL: https://issues.apache.org/jira/browse/HADOOP-11385 > Project: Hadoop Common > Issue Type: Bug > Reporter: Haohui Mai > Assignee: Haohui Mai > Priority: Critical > Attachments: HADOOP-11385.000.patch > > > JMXJSONServlet allows passing a callback parameter in the JMX response, which > is introduced in HADOOP-8922: > {code} > // "callback" parameter implies JSONP outpout > jsonpcb = request.getParameter(CALLBACK_PARAM); > if (jsonpcb != null) { > response.setContentType("application/javascript; charset=utf8"); > writer.write(jsonpcb + "("); > } else { > response.setContentType("application/json; charset=utf8"); > } > {code} > The code writes the callback parameter directly to the output, allowing > cross-site scripting attack. This vulnerability allows the attacker easily > stealing the credential of the user on the browser. > The original use case can be supported using Cross-origin resource sharing > (CORS), which is used by the current NN web UI. > This jira proposes to move JMXJSONServlet to CORS. -- This message was sent by Atlassian JIRA (v6.3.4#6332)