Hello Daniel, * Daniel Pocock (dan...@pocock.com.au) wrote: > > Hi Eric, > > The security team recently made an assessment of Ganglia and decided to > only provide limited security support for the web interface. > > Normally the web interface is only used by knowledgeable users and > protected by some kind of web server ACL or HTTP authentication scheme. > > At best, pkg-monitoring will continue packaging the upstream releases > and people can use them as they are. > > As well as helping with the Debian packages, I'm also an upstream > committer, so please submit your fix as a github pull request upstream > and if nobody else processes I can accept it through there and it will > then come through the next upstream release into Debian.
I just submitted the pull request, you can see my branch here: https://github.com/SesterhennEric/ganglia-web > Can you please let me know if this explanation is acceptable, lower the > severity to important and let me know if you would like to get more > involved with the Ganglia development I am just browsing random packages while commuting to work and see what pops up, so I am not getting highly involved in Ganglia. Best regards, Eric > Thanks for the report > > Regards, > > Daniel > > > On 25/11/13 22:35, Eric Sesterhenn wrote: > > Package: ganglia-web > > Version: 3.5.8 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > > > Dear Maintainer, > > > > upstream was already notified > > (https://github.com/ganglia/ganglia-web/issues/218) > > but no reaction so far. > > > > === Security Advisory === > > > > Ganglia-Web 3.5.10 - XSS > > ------------------------------------------------------------ > > > > Affected Version > > ================ > > At least ganglia-web-3.5.8 and ganglia-web-3.5.10 > > > > Problem Overview > > ================ > > Technical Risk: medium > > Likelihood of Exploitation: medium > > Vendor: Open Source / Debian > > Reported by: Eric Sesterhenn <snakeb...@gmx.de> > > Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt > > Advisory Status: Private > > > > Problem Impact > > ============== > > While taking a quick look at the web interface, a > > XSS issue has been found. It is possible to execute JavaScript > > in a victims' browser after tricking the victim into > > opening a specially crafted URL. > > > > > > Problem Description > > =================== > > The following URL opens a JavaScript popup in the users' > > browser: > > http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0 > > > > The GET variable is retrieved in file get_context.php, line 89 > > and placed into the variable $user['host_regex'] without > > escaping. This variable is then placed into the $set_host_regex_value > > variable in file header.php, line 494 and printed at line 518. > > > > > > > > Temporary Workaround and Fix > > ============================ > > Apply the following patch to properly encode the variable: > > > > --- header.php.old 2013-09-30 21:07:26.272287657 +0200 > > +++ header.php 2013-09-30 21:09:42.226281990 +0200 > > @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim > > ///////////////////////////////////////////////////////////////////////// > > if ( $context == "cluster" ) { > > if ( isset($user['host_regex']) && $user['host_regex'] != "" ) > > - $set_host_regex_value="value='" . $user['host_regex'] . "'"; > > + $set_host_regex_value="value='" . htmlentities($user['host_regex'], > > ENT_QUOTES) . "'"; > > else > > $set_host_regex_value=""; > > > > > > History > > ======= > > 30.09.2013 - Issue detected > > 22.11.2013 - Verified with 3.5.10 > > 22.11.2013 - Notified Vendor > > 25.11.2013 - Notified Debian > > > > > > > > -- System Information: > > Debian Release: jessie/sid > > APT prefers testing > > APT policy: (500, 'testing') > > Architecture: amd64 (x86_64) > > Foreign Architectures: i386 > > > > Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > > Shell: /bin/sh linked to /bin/dash > > > > _______________________________________________ > > Pkg-monitoring-maintainers mailing list > > pkg-monitoring-maintain...@lists.alioth.debian.org > > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-monitoring-maintainers > > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
