ganglia users-
Peter Vreugdenhil found a HUGE security flaw in the graph.php script in
the Ganglia PHP/RRD client. i highly recommend that you upgrade your web
sites as soon as possible. i have actually hidden v1.0.0 and v1.0.1 from
this web site to ensure that no one downloads them.
Steps to Upgrade from v1.0.1 to v1.0.2...
1. Download v1.0.2 of the ganglia PHP/RRD web client from
http://sourceforge.net/project/showfiles.php?group_id=43021
2. Unpack the distribution
gunzip < ganglia-php-rrd-client-1.0.2.tar.gz | tar -xvf -
3. Jump in the distribution directory
cd ganglia-php-rrd-client-1.0.2
4. Shutdown the ganglia-rrd.pl daemon
/etc/rc.d/init.d/ganglia-php-rrd stop
5. Copy the new daemon over
cp ./ganglia-rrd.pl /var/log/ganglia/
6. Restart the ganglia-rrd.pl daemon
/etc/rc.d/init.d/ganglia-php-rrd start
7. Copy the secure graph.php to your web server
cp ./web/graph.php /var/www/html/ganglia/graph.php (for example)
as an added precaution you can password protect the directory you placed
the ganglia PHP/RRD web client in. for instructions, visit
http://www.he.net/info/htaccess/demo.html
the ganglia PHP/RRD web demo page will always be open to the public and i
trust that it is now secured. if any other security holes are found i
will work non-stop until they are fixed. i would had this fix out within
minutes of receiving the alert from Peter Vreugdenhil but the SourceForge
web site was down today for some reason.
about the exploit...
the graph.php could be exploited to run commands on your web server as
user "nobody". here is how it works...
in the vulnerable graph.php i check the value of $graph and then use it to
generate a $command which is executed to generate the graphs that you see
on the page. if however someone passed a bogus graph type with a $command
on the URL string it would be passed to the passthru() function and run.
e.g...
http://ganglia.mrcluster.org/graph.php?graph=foo&command=cat%20/etc/passwd
since the graph "foo" is not a valid graph the command is not overwritten
with a command string that i build instead it takes the command written
by the malicious user.
to see if someone has tried this exploit on your web server...
grep graph.php access_log | grep command
i want to personally apologize for this security hole. i made a big
mistake.
i also want to make it clear that there are no known security holes in
ganglia gmond. while i spent two days writing the perl and PHP code for
the ganglia web client the ganglia monitoring core has taken me six months
to build. the gmond process runs as user "nobody" and accepts no input
from any client and will only output data to hosts multicasting on the
ganglia multicast network. the gmond does not exec any processes it
simply passively listens to multicast traffic, saves it to memory and then
writes it to eligible clients in XML.
on a lighter note...
there are also some addition features and bugs fixed in this release.
1. if gmond goes south then the ganglia-rrd.pl used to die as well. now
the ganglia-rrd.pl daemon will spin wait until gmond is back up
2. ganglia-rrd.pl used to save data from hosts that were down. now.. only
hosts that are up have there data saved to the round robin database
if you have ANY questions about this email, please do not hesitate to
email me.
-matt
