[ https://issues.apache.org/jira/browse/AMBARI-24420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Julia updated AMBARI-24420: --------------------------- Summary: XSS in Ambari Add Host Wizard (was: Attacker can Stop all services) > XSS in Ambari Add Host Wizard > ----------------------------- > > Key: AMBARI-24420 > URL: https://issues.apache.org/jira/browse/AMBARI-24420 > Project: Ambari > Issue Type: Bug > Components: ambari-client > Affects Versions: 2.7.1 > Reporter: Julia > Priority: Critical > > It is possible for an attacker to cause a denial of service situation for a > cluster/user. By having a user simply load/visit a url, all the services on > the cluster will be stopped. Not only will this interrupt service, but if the > right urls are loaded in the correct order, services can be in a > unrecoverable state. This is a example of configration changes are happening, > and services are stopped before such changes are properly made, then the > services will try to start in a bad configuration state. This is in addition > to possible dataloss of any jobs happening at the time. > Requests which can cause state changes should not be "GET" requests which can > be abused in such a manner. > > Repro steps: > > Attacker can dos/interrupt your cluster by having you visit URL unknowingly > [+{color:#0066cc}https://xxxxxxxxxxxxxxxx.azurehdinsight.net/#/main/services/highAvailability/JournalNode/manage/step4{color}+] > !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/bbc264fe-d6f3-4f74-8a63-9e5a6fdff754?fileName=attachfilehandler%20%284%29.png! > !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/50bd00ca-d219-4f07-8a22-ea58f9f3408d?fileName=attachfilehandler%20%285%29.png! > also able to force a configuration change by visiting a url before the > shutdown > Force configuration change > [+{color:#0066cc}https://xxxxxxxxxxxxxxxx.azurehdinsight.net/#/main/service/reassign/step4{color}+] > !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/6b7ca029-cbf2-43dc-8eba-23992ba777dc?fileName=attachfilehandler%20%286%29.png! > > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)