ganglia users- Peter Vreugdenhil found a HUGE security flaw in the graph.php script in the Ganglia PHP/RRD client. i highly recommend that you upgrade your web sites as soon as possible. i have actually hidden v1.0.0 and v1.0.1 from this web site to ensure that no one downloads them.
Steps to Upgrade from v1.0.1 to v1.0.2... 1. Download v1.0.2 of the ganglia PHP/RRD web client from http://sourceforge.net/project/showfiles.php?group_id=43021 2. Unpack the distribution gunzip < ganglia-php-rrd-client-1.0.2.tar.gz | tar -xvf - 3. Jump in the distribution directory cd ganglia-php-rrd-client-1.0.2 4. Shutdown the ganglia-rrd.pl daemon /etc/rc.d/init.d/ganglia-php-rrd stop 5. Copy the new daemon over cp ./ganglia-rrd.pl /var/log/ganglia/ 6. Restart the ganglia-rrd.pl daemon /etc/rc.d/init.d/ganglia-php-rrd start 7. Copy the secure graph.php to your web server cp ./web/graph.php /var/www/html/ganglia/graph.php (for example) as an added precaution you can password protect the directory you placed the ganglia PHP/RRD web client in. for instructions, visit http://www.he.net/info/htaccess/demo.html the ganglia PHP/RRD web demo page will always be open to the public and i trust that it is now secured. if any other security holes are found i will work non-stop until they are fixed. i would had this fix out within minutes of receiving the alert from Peter Vreugdenhil but the SourceForge web site was down today for some reason. about the exploit... the graph.php could be exploited to run commands on your web server as user "nobody". here is how it works... in the vulnerable graph.php i check the value of $graph and then use it to generate a $command which is executed to generate the graphs that you see on the page. if however someone passed a bogus graph type with a $command on the URL string it would be passed to the passthru() function and run. e.g... http://ganglia.mrcluster.org/graph.php?graph=foo&command=cat%20/etc/passwd since the graph "foo" is not a valid graph the command is not overwritten with a command string that i build instead it takes the command written by the malicious user. to see if someone has tried this exploit on your web server... grep graph.php access_log | grep command i want to personally apologize for this security hole. i made a big mistake. i also want to make it clear that there are no known security holes in ganglia gmond. while i spent two days writing the perl and PHP code for the ganglia web client the ganglia monitoring core has taken me six months to build. the gmond process runs as user "nobody" and accepts no input from any client and will only output data to hosts multicasting on the ganglia multicast network. the gmond does not exec any processes it simply passively listens to multicast traffic, saves it to memory and then writes it to eligible clients in XML. on a lighter note... there are also some addition features and bugs fixed in this release. 1. if gmond goes south then the ganglia-rrd.pl used to die as well. now the ganglia-rrd.pl daemon will spin wait until gmond is back up 2. ganglia-rrd.pl used to save data from hosts that were down. now.. only hosts that are up have there data saved to the round robin database if you have ANY questions about this email, please do not hesitate to email me. -matt