[Pkg-monitoring-maintainers] Bug#730507: Bug#730507: ganglia-web: Cross-Site-Scripting Issue in Ganglia-web 3.5.8

Eric Sesterhenn snakebyte at gmx.de
Tue Nov 26 07:05:13 UTC 2013 

Hello Daniel,

* Daniel Pocock (daniel at pocock.com.au) wrote:
> 
> Hi Eric,
> 
> The security team recently made an assessment of Ganglia and decided to
> only provide limited security support for the web interface.
> 
> Normally the web interface is only used by knowledgeable users and
> protected by some kind of web server ACL or HTTP authentication scheme.
> 
> At best, pkg-monitoring will continue packaging the upstream releases
> and people can use them as they are.
> 
> As well as helping with the Debian packages, I'm also an upstream
> committer, so please submit your fix as a github pull request upstream
> and if nobody else processes I can accept it through there and it will
> then come through the next upstream release into Debian.

I just submitted the pull request, you can see my branch here:
https://github.com/SesterhennEric/ganglia-web
 
> Can you please let me know if this explanation is acceptable, lower the
> severity to important and let me know if you would like to get more
> involved with the Ganglia development

I am just browsing random packages while commuting to work and see what pops up,
so I am not getting highly involved in Ganglia.

Best regards,
Eric
 
> Thanks for the report
> 
> Regards,
> 
> Daniel
> 
> 
> On 25/11/13 22:35, Eric Sesterhenn wrote:
> > Package: ganglia-web
> > Version: 3.5.8
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > 
> > Dear Maintainer,
> > 
> > upstream was already notified (https://github.com/ganglia/ganglia-web/issues/218)
> > but no reaction so far. 
> > 
> > === Security Advisory ===
> > 
> > Ganglia-Web 3.5.10 - XSS
> > ------------------------------------------------------------
> > 
> > Affected Version
> > ================
> > At least ganglia-web-3.5.8 and ganglia-web-3.5.10
> > 
> > Problem Overview
> > ================
> > Technical Risk: medium
> > Likelihood of Exploitation: medium
> > Vendor: Open Source / Debian
> > Reported by: Eric Sesterhenn <snakebyte at gmx.de>
> > Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
> > Advisory Status: Private
> > 
> > Problem Impact
> > ==============
> > While taking a quick look at the web interface, a
> > XSS issue has been found. It is possible to execute JavaScript 
> > in a victims' browser after tricking the victim into
> > opening a specially crafted URL.
> > 
> > 
> > Problem Description
> > ===================
> > The following URL opens a JavaScript popup in the users' 
> > browser:
> > http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0
> > 
> > The GET variable is retrieved in file get_context.php, line 89
> > and placed into the variable $user['host_regex'] without
> > escaping. This variable is then placed into the $set_host_regex_value
> > variable in file header.php, line 494 and printed at line 518.
> > 
> > 
> > 
> > Temporary Workaround and Fix
> > ============================
> > Apply the following patch to properly encode the variable:
> > 
> > --- header.php.old	2013-09-30 21:07:26.272287657 +0200
> > +++ header.php	2013-09-30 21:09:42.226281990 +0200
> > @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
> >  /////////////////////////////////////////////////////////////////////////
> >  if ( $context == "cluster" ) {
> >    if ( isset($user['host_regex']) && $user['host_regex'] != "" )
> > -    $set_host_regex_value="value='" . $user['host_regex'] . "'";
> > +    $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'";
> >    else
> >      $set_host_regex_value="";
> >  
> > 
> > History
> > =======
> > 30.09.2013 - Issue detected
> > 22.11.2013 - Verified with 3.5.10
> > 22.11.2013 - Notified Vendor
> > 25.11.2013 - Notified Debian
> > 
> > 
> > 
> > -- System Information:
> > Debian Release: jessie/sid
> >   APT prefers testing
> >   APT policy: (500, 'testing')
> > Architecture: amd64 (x86_64)
> > Foreign Architectures: i386
> > 
> > Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> > 
> > _______________________________________________
> > Pkg-monitoring-maintainers mailing list
> > Pkg-monitoring-maintainers at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-monitoring-maintainers
> >

More information about the Pkg-monitoring-maintainers mailing list