Package: ganglia-web Version: 3.5.8 Severity: grave Tags: security upstream Justification: user security hole
Dear Maintainer, upstream was already notified (https://github.com/ganglia/ganglia-web/issues/218) but no reaction so far. === Security Advisory === Ganglia-Web 3.5.10 - XSS ------------------------------------------------------------ Affected Version ================ At least ganglia-web-3.5.8 and ganglia-web-3.5.10 Problem Overview ================ Technical Risk: medium Likelihood of Exploitation: medium Vendor: Open Source / Debian Reported by: Eric Sesterhenn <snakeb...@gmx.de> Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt Advisory Status: Private Problem Impact ============== While taking a quick look at the web interface, a XSS issue has been found. It is possible to execute JavaScript in a victims' browser after tricking the victim into opening a specially crafted URL. Problem Description =================== The following URL opens a JavaScript popup in the users' browser: http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0 The GET variable is retrieved in file get_context.php, line 89 and placed into the variable $user['host_regex'] without escaping. This variable is then placed into the $set_host_regex_value variable in file header.php, line 494 and printed at line 518. Temporary Workaround and Fix ============================ Apply the following patch to properly encode the variable: --- header.php.old 2013-09-30 21:07:26.272287657 +0200 +++ header.php 2013-09-30 21:09:42.226281990 +0200 @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim ///////////////////////////////////////////////////////////////////////// if ( $context == "cluster" ) { if ( isset($user['host_regex']) && $user['host_regex'] != "" ) - $set_host_regex_value="value='" . $user['host_regex'] . "'"; + $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'"; else $set_host_regex_value=""; History ======= 30.09.2013 - Issue detected 22.11.2013 - Verified with 3.5.10 22.11.2013 - Notified Vendor 25.11.2013 - Notified Debian -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
