[jira] [Updated] (AMBARI-25280) Improper error handling when managing Ambari users

[Zhiguo Wu (Jira)]

     [ 
https://issues.apache.org/jira/browse/AMBARI-25280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Zhiguo Wu updated AMBARI-25280:
-------------------------------
    Fix Version/s: 2.8.0

> Improper error handling when managing Ambari users
> --------------------------------------------------
>
>                 Key: AMBARI-25280
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25280
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.3
>            Reporter: Krisztian Kasa
>            Assignee: Krisztian Kasa
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 2.8.0, 2.7.4
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> The application does not handle the error properly and reveals internal class 
> names in the error
> message as shown in the below HTTP Request and Response. This happens when an 
> admin user
> tries to add an LDAP user that doesn't exist to a group.
> HTTP Request:
> {code}
> PUT /api/v1/groups/csrf%20test/members HTTP/1.1
> Host: xyz601:8080
> Content-Length: 69
> Accept: application/json, text/plain, */*
> Origin: http://xyz601:8080
> X-Requested-By: ambari
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML,
> like Gecko) Chrome/70.0.3538.102 Safari/537.36
> Content-Type: plain/text
> Referer: http://xyz601:8080/views/ADMIN_VIEW/2.6.2.2/INSTANCE/
> Accept-Encoding: gzip, deflate
> Accept-Language: en-US,en;q=0.9
> Cookie: AMBARISESSIONID=nd54akraeumr1cmnz0gazantv
> Connection: close
> [{"MemberInfo/user_name":"test","MemberInfo/group_name":"csrf test"}]
> {code}
> HTTP Response:
> {code}
> HTTP/1.1 500 Internal Server Error
> X-Frame-Options: DENY
> Severity: Low
> Status: New
> Ease of Exploit: Easy
> Classification: Improper Output Handling
> Hadoop refresh (Break Glass) - UMF Visa Restricted 32
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Cache-Control: no-store
> Pragma: no-cache
> User: hitepate
> Content-Type: text/plain
> Connection: close
> {
> "status" : 500,
> "message" : "org.apache.ambari.server.controller.spi.SystemException: An 
> internal
> system exception occurred: User test doesn't exist"
> }
> {code}
> *Remediation Recommendations*
> When errors occur, the site should respond with a specifically designed 
> result that is helpful to the
> user without revealing unnecessary internal details.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ambari.apache.org
For additional commands, e-mail: issues-h...@ambari.apache.org