[Pkg-monitoring-maintainers] Bug#730507: Bug#730507: ganglia-web: Cross-Site-Scripting Issue in Ganglia-web 3.5.8

Mon Nov 25 22:15:37 UTC 2013

Hi Eric,

The security team recently made an assessment of Ganglia and decided to
only provide limited security support for the web interface.

Normally the web interface is only used by knowledgeable users and
protected by some kind of web server ACL or HTTP authentication scheme.

At best, pkg-monitoring will continue packaging the upstream releases
and people can use them as they are.

As well as helping with the Debian packages, I'm also an upstream
committer, so please submit your fix as a github pull request upstream
and if nobody else processes I can accept it through there and it will
then come through the next upstream release into Debian.

Can you please let me know if this explanation is acceptable, lower the
severity to important and let me know if you would like to get more
involved with the Ganglia development

Thanks for the report

Regards,

Daniel

On 25/11/13 22:35, Eric Sesterhenn wrote:
> Package: ganglia-web
> Version: 3.5.8
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Dear Maintainer,
> 
> upstream was already notified (https://github.com/ganglia/ganglia-web/issues/218)
> but no reaction so far. 
> 
> === Security Advisory ===
> 
> Ganglia-Web 3.5.10 - XSS
> ------------------------------------------------------------
> 
> Affected Version
> ================
> At least ganglia-web-3.5.8 and ganglia-web-3.5.10
> 
> Problem Overview
> ================
> Technical Risk: medium
> Likelihood of Exploitation: medium
> Vendor: Open Source / Debian
> Reported by: Eric Sesterhenn <snakebyte at gmx.de>
> Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
> Advisory Status: Private
> 
> Problem Impact
> ==============
> While taking a quick look at the web interface, a
> XSS issue has been found. It is possible to execute JavaScript 
> in a victims' browser after tricking the victim into
> opening a specially crafted URL.
> 
> 
> Problem Description
> ===================
> The following URL opens a JavaScript popup in the users' 
> browser:
> http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0
> 
> The GET variable is retrieved in file get_context.php, line 89
> and placed into the variable $user['host_regex'] without
> escaping. This variable is then placed into the $set_host_regex_value
> variable in file header.php, line 494 and printed at line 518.
> 
> 
> 
> Temporary Workaround and Fix
> ============================
> Apply the following patch to properly encode the variable:
> 
> --- header.php.old	2013-09-30 21:07:26.272287657 +0200
> +++ header.php	2013-09-30 21:09:42.226281990 +0200
> @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
>  /////////////////////////////////////////////////////////////////////////
>  if ( $context == "cluster" ) {
>    if ( isset($user['host_regex']) && $user['host_regex'] != "" )
> -    $set_host_regex_value="value='" . $user['host_regex'] . "'";
> +    $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'";
>    else
>      $set_host_regex_value="";
>  
> 
> History
> =======
> 30.09.2013 - Issue detected
> 22.11.2013 - Verified with 3.5.10
> 22.11.2013 - Notified Vendor
> 25.11.2013 - Notified Debian
> 
> 
> 
> -- System Information:
> Debian Release: jessie/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> _______________________________________________
> Pkg-monitoring-maintainers mailing list
> Pkg-monitoring-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-monitoring-maintainers
> 