[
https://issues.apache.org/jira/browse/HADOOP-11385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14250624#comment-14250624
]
Haohui Mai commented on HADOOP-11385:
-------------------------------------
The patch replaces the {{callback()}} parameters with CORS headers that allows
all origins to access the information. Third party systems can issue AJAX
requests to get the JMX information, as long as the connection is authorized by
the services.
> Cross site scripting attack on JMXJSONServlet
> ---------------------------------------------
>
> Key: HADOOP-11385
> URL: https://issues.apache.org/jira/browse/HADOOP-11385
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Haohui Mai
> Assignee: Haohui Mai
> Priority: Critical
> Attachments: HADOOP-11385.000.patch
>
>
> JMXJSONServlet allows passing a callback parameter in the JMX response, which
> is introduced in HADOOP-8922:
> {code}
> // "callback" parameter implies JSONP outpout
> jsonpcb = request.getParameter(CALLBACK_PARAM);
> if (jsonpcb != null) {
> response.setContentType("application/javascript; charset=utf8");
> writer.write(jsonpcb + "(");
> } else {
> response.setContentType("application/json; charset=utf8");
> }
> {code}
> The code writes the callback parameter directly to the output, allowing
> cross-site scripting attack. This vulnerability allows the attacker easily
> stealing the credential of the user on the browser.
> The original use case can be supported using Cross-origin resource sharing
> (CORS), which is used by the current NN web UI.
> This jira proposes to move JMXJSONServlet to CORS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
