Andrii Tkach created AMBARI-25287:
-------------------------------------
Summary: Persistent Cross Site Scripting (XSS) in Ambari
Key: AMBARI-25287
URL: https://issues.apache.org/jira/browse/AMBARI-25287
Project: Ambari
Issue Type: Bug
Components: ambari-web
Affects Versions: 2.6.2
Reporter: Andrii Tkach
Below is the HTTP Request and Response issued when a user submits a note
containing a JavaScript
after modifying some configuration in "Tez" service.
HTTP Request:
PUT /api/v1/clusters/<env> HTTP/1.1
Host: xyz601:8080
Content-Length: 199
Accept: application/json, text/javascript, /; q=0.01
Origin: http://xyz601:8080
X-Requested-With: XMLHttpRequest
X-Requested-By: X-Requested-By
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/70.0.3538.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://xyz:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: AMBARISESSIONID=vfiy4336mxwl1k5ehd6jrz43i
Connection: close
{"Clusters":{"desired_service_config_versions":
{"service_config_version":4,"service_name":"TEZ","service_config_version_note":"Creat
ed from service config version V4\n<img src=x onerror=alert(1)>"}
}}
Remediation Recommendations
Restrict all input passed to the application to valid, whitelisted content, and
ensure that all
response/output sent by the server is HTML/URL/JavaScript encoded, depending on
the context in
which the data is used by the application.
The remediation should not attempt to blacklist content and remove, filter, or
sanitize it. There are
too many types of encoding it to get around filters for such content.
We strongly recommend a positive security policy that specifies what is allowed.
Negative or attack signature based policies are difficult to maintain and are
likely to be incomplete.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
