Haohui Mai created HADOOP-11385:
-----------------------------------
Summary: Cross site scripting attack on JMXJSONServlet
Key: HADOOP-11385
URL: https://issues.apache.org/jira/browse/HADOOP-11385
Project: Hadoop Common
Issue Type: Bug
Reporter: Haohui Mai
Assignee: Haohui Mai
Priority: Critical
JMXJSONServlet allows passing a callback parameter in the JMX response, which
is introduced in HADOOP-8922:
{code}
// "callback" parameter implies JSONP outpout
jsonpcb = request.getParameter(CALLBACK_PARAM);
if (jsonpcb != null) {
response.setContentType("application/javascript; charset=utf8");
writer.write(jsonpcb + "(");
} else {
response.setContentType("application/json; charset=utf8");
}
{code}
The code writes the callback parameter directly to the output, allowing
cross-site scripting attack. This vulnerability allows the attacker easily
stealing the credential of the user on the browser.
The original use case can be supported using Cross-origin resource sharing
(CORS), which is used by the current NN web UI.
This jira proposes to move JMXJSONServlet to CORS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
