Akhil S Naik created AMBARI-25384: ------------------------------------- Summary: Ambari Files View is Vulnerable to XSS attack Key: AMBARI-25384 URL: https://issues.apache.org/jira/browse/AMBARI-25384 Project: Ambari Issue Type: Bug Components: ambari-views Affects Versions: trunk, 2.6.2, 2.7.4 Reporter: Akhil S Naik Assignee: Akhil S Naik Attachments: Screen Shot 2019-09-24 at 6.05.19 PM.png
Problem Statement : Ambari Files view is vulnerable to XSS attack, if the Filename of the file uploaded in HDFS contains XSS scripts. Reproduction : 1) login to files view 2) create a file called in your local system and upload it to files view: <svg onload= alert(document.domain)> 3) try to delete the file or edit permission of the file. the malciious XSS script will be executed in the Browser. this is a security Issue. Please see attached screenshot -- This message was sent by Atlassian Jira (v8.3.4#803005)