-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2013 06:50 AM, Raphael Geissert wrote: > Hi again, > > On 21 February 2013 11:47, Raphael Geissert <atom...@gmail.com> > wrote: >> On 8 February 2013 19:06, Vincent Danen <vda...@redhat.com> >> wrote: >>> A number of XSS issues were fixed in ganglia's web ui: >>> >>> https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e >> >> >>> I've a hunch that there are a few issues with the changes. A quick >> look at the patch shows that the change here breaks the >> preg_replace call: > > Forgot the reference, here's the exact code: > https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L7R17 > > [Salvatore, thanks for forwarding it] > > Some other notes: > > * > https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L9R35 > > This is a directory traversal issue that requires authentication, > but there doesn't seem to be a CSRF protection in place (unless > I'm missing something). The (stored) XSS part of it is not entirely > fixed for the case where an attacker successfully took advantage of > it since the sanitation is only performed when storing to the .json > file. > > The other operations related to views (in views_view.php) are all > still vulnerable to XSS via the view_name GET parameter. > > > The authentication cookie uses a persistent token for every user > (no session ids or any sort of nonce), which is an issue on its > own, but it also doesn't verify that the group stored in the cookie > actually corresponds to the user. As of 3.5.7 the groups feature > still doesn't seem to be in use, however. > > > So I guess we are going to need at least one more CVE id for the > remaining XSS issues in views_view.php and I leave the rest up to > the opinion of others (upstream included). > > Cheers,
Sorry I forgot about this after all the XML excitement. Please use CVE-2013-1770 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRLRwUAAoJEBYNRVNeJnmT/voQAIODImCIuIzSbo+4gjczgs5g Zj2oynsTM4cYqZcCKeKqHq7L0Vql/vLOt/P/WzpRzi7FRqIOlSwu3XoZC/PmX8wm 3bqrJxmNRQUZ9rdOBiu77eZ9w6MKBFeuW1Q13JSXGFLJVQK/dUj9qMn1qaGgd2Gz kTUmTgghqjLi93LWyjvHfheKzkrq9CRsr3u63nrvekJbsFgopoyA3PwxsDeSlnDO KSMPvYbiO6O6J8eoUMI7XFEb8KMeoqxIYQgIoRN+M+9y3MSPFdC/RuuNwg5NEYwR uImdjWoc4zUTciajnWD8lmjsMe5HN5HpD4+Aj9Q2+wGUQ6c1pqMcqMHmqrxeY+6N VFtoJbkVsPHEm3YVLMp14JVQ5/jadJhBiGv7fHxCy8ctmGQxGKaHSK3nrfzExwzc 7JqP6+7Stz592iqXRcItJGgMz891G0M5wrOu6h+GLMVRZuQhjmXFHolArfYUsBBH TczXZXz44z4TwWYfA+mJ0aFpuPNI1BkasGBthsYpBuVVlrLgWvWrAm8180dXDE6C 8LXrtxJljuwXJv4sa4YquYvGF8WMnWPWzN4wscLhJ1yjAl1YKGolHoFab1MK7/4w Ggs+qd/DMicxSth4BwkbS7r/sO/epGMox0AfzmiPEt/jWArSVQCN8iY5R41u56+/ OXQL2Nb/xQjXYjnF2JfJ =L3sJ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
