Re: [Ganglia-general] XSS vulnerabilities in Ganglia web
I recall trying this out on 3.6.2 and I couldn't reproduce it so if you could run this against 3.6.2 and see if you can reproduce it that would be really helpful. Vladimir On 11/07/2014 04:50 PM, Cristovao Jose Domingues Cordeiro wrote: It is implemented on 3.5.12 Is this fixed on the latest version? Cumprimentos / Best regards, Cristóvão José Domingues Cordeiro IT Department - 28/R-018 CERN From: Vladimir Vuksan [vli...@veus.hr] Sent: 07 November 2014 22:31 To: Cristovao Jose Domingues Cordeiro; ganglia-general@lists.sourceforge.net Subject: Re: [Ganglia-general] XSS vulnerabilities in Ganglia web Hi Cristovao, what Ganglia Web version was tested ? Is this against latest e.g. 3.6.2 ? Thanks, Vladimir On 04/11/2014 03:35 AM, Cristovao Jose Domingues Cordeiro wrote: Hi all, recently I've updated my Ganglia web frontend to the latest version (so I could perform HTTP queries) and when I issued the security check with skipfish I got these: Vulnerabilities found: 33 · Severity: 4, Type: File inclusion .. .. · Severity: 4, Type: Query injection vector .. .. · Severity: 4, Type: Shell injection vector .. .. · Severity: 4, Type: Server-side XML injection vector .. .. · Severity: 3, Type: Directory traversal / file inclusion possible ·· ·· · Severity: 3, Type: XSS vector in document body .. .. Now, these are too many vulnerabilities, but I don't know if they can affect the backend of if they just affect the frontend. Do you know? The XSS vulnerability must be fixed for sure. I've seen some references to this in your release notes (e.g. http://www.mail-archive.com/ganglia-general%40lists.sourceforge.net/msg08004.html ) but in fact there if no difference between these last releases and the ones before that announcement. Is there a workaround for this? I can not open this Ganglia machine to the outside world if I don't have this fixed. -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
Re: [Ganglia-general] XSS vulnerabilities in Ganglia web
It is implemented on 3.5.12 Is this fixed on the latest version? Cumprimentos / Best regards, Cristóvão José Domingues Cordeiro IT Department - 28/R-018 CERN From: Vladimir Vuksan [vli...@veus.hr] Sent: 07 November 2014 22:31 To: Cristovao Jose Domingues Cordeiro; ganglia-general@lists.sourceforge.net Subject: Re: [Ganglia-general] XSS vulnerabilities in Ganglia web Hi Cristovao, what Ganglia Web version was tested ? Is this against latest e.g. 3.6.2 ? Thanks, Vladimir On 04/11/2014 03:35 AM, Cristovao Jose Domingues Cordeiro wrote: Hi all, recently I've updated my Ganglia web frontend to the latest version (so I could perform HTTP queries) and when I issued the security check with skipfish I got these: Vulnerabilities found: 33 · Severity: 4, Type: File inclusion .. .. · Severity: 4, Type: Query injection vector .. .. · Severity: 4, Type: Shell injection vector .. .. · Severity: 4, Type: Server-side XML injection vector .. .. · Severity: 3, Type: Directory traversal / file inclusion possible ·· ·· · Severity: 3, Type: XSS vector in document body .. .. Now, these are too many vulnerabilities, but I don't know if they can affect the backend of if they just affect the frontend. Do you know? The XSS vulnerability must be fixed for sure. I've seen some references to this in your release notes (e.g. http://www.mail-archive.com/ganglia-general%40lists.sourceforge.net/msg08004.html ) but in fact there if no difference between these last releases and the ones before that announcement. Is there a workaround for this? I can not open this Ganglia machine to the outside world if I don't have this fixed. -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
Re: [Ganglia-general] XSS vulnerabilities in Ganglia web
Hi Cristovao, what Ganglia Web version was tested ? Is this against latest e.g. 3.6.2 ? Thanks, Vladimir On 04/11/2014 03:35 AM, Cristovao Jose Domingues Cordeiro wrote: Hi all, recently I've updated my Ganglia web frontend to the latest version (so I could perform HTTP queries) and when I issued the security check with skipfish I got these: Vulnerabilities found: 33 · Severity: 4, Type: File inclusion .. .. · Severity: 4, Type: Query injection vector .. .. · Severity: 4, Type: Shell injection vector .. .. · Severity: 4, Type: Server-side XML injection vector .. .. · Severity: 3, Type: Directory traversal / file inclusion possible ·· ·· · Severity: 3, Type: XSS vector in document body .. .. Now, these are too many vulnerabilities, but I don't know if they can affect the backend of if they just affect the frontend. Do you know? The XSS vulnerability must be fixed for sure. I've seen some references to this in your release notes (e.g. http://www.mail-archive.com/ganglia-general%40lists.sourceforge.net/msg08004.html ) but in fact there if no difference between these last releases and the ones before that announcement. Is there a workaround for this? I can not open this Ganglia machine to the outside world if I don't have this fixed. -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
[Ganglia-general] Ganglia Installation
Does anybody know of good sources of Installing Ganglia on Redhat Linux 6 as i am having trouble installing Ganglia and setup the Webpage. used these 2 links to Install but had some issues with python_module , after trying to run gmond service. ran this config file to know if all of the modules loaded successfully , i got the below error. Source to Install Ganglia : https://sachinsharm.wordpress.com/2013/08/17/setup-and-configure-ganglia-3-6-on-centosrhel-6-3/ Setup Python Modules link: https://sachinsharm.wordpress.com/2013/08/19/setup-and-configure-ganglia-python-modules-on-centosrhel-6-3/ *can't open the python module path /usr/local/lib64/ganglia/python_modules (where all the libraries for python exist)* *Module python_module failed to Initialize* *gmond -d 5 -c /etc/ganglia/gmond.conf* any help would be greatly appreciated. Thanks, -- Sreedhar Chava www.ePilupu.com (A traditional Indian Invitational Portal for all your Occasions) -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
[Ganglia-general] Problems getting rrdcached working with Ganglia
I'm trying to follow the instructions at https://github.com/ganglia/monitor-core/wiki/Integrating-Ganglia-with-rrdcached - are they the most updated when it comes to integrating gmetad/rrdcached? The first issue appears trying to use the following in /etc/sysconfig/rrdcached on RH 6.5: OPTIONS="-p /tmp/rrdcached.pid -s apache -m 664 -l unix:/tmp/rrdcached.sock -s nogroup -m 777 -P FLUSH,STATS,HELP -l unix:/tmp/rrdcached.limited.sock -b /var/lib/ganglia/rrds -B" RRDC_USER=nobody Nogroup doesn't exist. "couldn't map "nogroup" to a group" I've tried using apache instead for the group but I see lots of /usr/sbin/gmetad[25549]: RRD_update (/var/lib/ganglia/rrds/__SummaryInfo__/tx_errs_eth1.rrd): rrdcached: Permission denied. Pointers to more documentation would be appreciated. Thanks! Keith Poirier -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general