[HUE-4413] [dbms] Security: Full XSS in DBQuery editor - Cloudera Open Source

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.10.0
Fix Version/s: 3.11.0
Component/s: core.api
Labels:
None

Target Version:

3.11.0

Description

Problem

Any text in rows returned from DBQuery/librdbms can contain arbitrary HTML and therefore a simple xss like <svg id=alert(1) onload=eval(id)></svg> will give anyone with write access to the database (in our case any user of our e-commerce platform) the ability to hijack Hue sessions.

To Reproduce

1. Load payload into MySQL/other database

CREATE DATABASE testdb;
use testdb;
CREATE TABLE testsql2 (field1 INTEGER, field2 LONGTEXT);
INSERT INTO `testsql2` VALUES (1,'<svg id=alert(1) onload=eval(id)></svg>');

2. Go to DBQuery interface
3. Run a query like:

SELECT * FROM testdb.testtable;

4. See alert pop up with text "1"

Solution

My fix that I applied (perhaps temporarily) is attached. I escape text as it comes out of the rdbms api.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

security_escape_rows_dbquery.patch
25/Jul/16 3:12 PM
3 kB
Jack McCracken

Activity

People

Assignee:

Jack McCracken

Reporter:

Jack McCracken

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

25/Jul/16 3:12 PM

Updated:

26/Jul/16 5:45 AM

Resolved:

26/Jul/16 5:45 AM