[jira] [Updated] (AMBARI-24420) XSS in Ambari Add Host Wizard

Tue, 07 Aug 2018 18:48:09 -0700 


     [ 
https://issues.apache.org/jira/browse/AMBARI-24420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julia updated AMBARI-24420:
---------------------------
    Summary: XSS in Ambari Add Host Wizard  (was: Attacker can Stop all 
services)

> XSS in Ambari Add Host Wizard
> -----------------------------
>
>                 Key: AMBARI-24420
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24420
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-client
>    Affects Versions: 2.7.1
>            Reporter: Julia
>            Priority: Critical
>
> It is possible for an attacker to cause a denial of service situation for a 
> cluster/user. By having a user simply load/visit a url, all the services on 
> the cluster will be stopped. Not only will this interrupt service, but if the 
> right urls are loaded in the correct order, services can be in a 
> unrecoverable state. This is a example of configration changes are happening, 
> and services are stopped before such changes are properly made, then the 
> services will try to start in a bad configuration state. This is in addition 
> to possible dataloss of any jobs happening at the time.
> Requests which can cause state changes should not be "GET" requests which can 
> be abused in such a manner.
>  
> Repro steps:
>  
> Attacker can dos/interrupt your cluster by having you visit URL unknowingly
> [+{color:#0066cc}https://xxxxxxxxxxxxxxxx.azurehdinsight.net/#/main/services/highAvailability/JournalNode/manage/step4{color}+]
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/bbc264fe-d6f3-4f74-8a63-9e5a6fdff754?fileName=attachfilehandler%20%284%29.png!
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/50bd00ca-d219-4f07-8a22-ea58f9f3408d?fileName=attachfilehandler%20%285%29.png!
> also able to force a configuration change by visiting a url before the 
> shutdown
> Force configuration change
> [+{color:#0066cc}https://xxxxxxxxxxxxxxxx.azurehdinsight.net/#/main/service/reassign/step4{color}+]
> !https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/6b7ca029-cbf2-43dc-8eba-23992ba777dc?fileName=attachfilehandler%20%286%29.png!
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to