Hi Eric, The security team recently made an assessment of Ganglia and decided to only provide limited security support for the web interface.
Normally the web interface is only used by knowledgeable users and protected by some kind of web server ACL or HTTP authentication scheme. At best, pkg-monitoring will continue packaging the upstream releases and people can use them as they are. As well as helping with the Debian packages, I'm also an upstream committer, so please submit your fix as a github pull request upstream and if nobody else processes I can accept it through there and it will then come through the next upstream release into Debian. Can you please let me know if this explanation is acceptable, lower the severity to important and let me know if you would like to get more involved with the Ganglia development Thanks for the report Regards, Daniel On 25/11/13 22:35, Eric Sesterhenn wrote: > Package: ganglia-web > Version: 3.5.8 > Severity: grave > Tags: security upstream > Justification: user security hole > > Dear Maintainer, > > upstream was already notified > (https://github.com/ganglia/ganglia-web/issues/218) > but no reaction so far. > > === Security Advisory === > > Ganglia-Web 3.5.10 - XSS > ------------------------------------------------------------ > > Affected Version > ================ > At least ganglia-web-3.5.8 and ganglia-web-3.5.10 > > Problem Overview > ================ > Technical Risk: medium > Likelihood of Exploitation: medium > Vendor: Open Source / Debian > Reported by: Eric Sesterhenn <snakeb...@gmx.de> > Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt > Advisory Status: Private > > Problem Impact > ============== > While taking a quick look at the web interface, a > XSS issue has been found. It is possible to execute JavaScript > in a victims' browser after tricking the victim into > opening a specially crafted URL. > > > Problem Description > =================== > The following URL opens a JavaScript popup in the users' > browser: > http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0 > > The GET variable is retrieved in file get_context.php, line 89 > and placed into the variable $user['host_regex'] without > escaping. This variable is then placed into the $set_host_regex_value > variable in file header.php, line 494 and printed at line 518. > > > > Temporary Workaround and Fix > ============================ > Apply the following patch to properly encode the variable: > > --- header.php.old 2013-09-30 21:07:26.272287657 +0200 > +++ header.php 2013-09-30 21:09:42.226281990 +0200 > @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim > ///////////////////////////////////////////////////////////////////////// > if ( $context == "cluster" ) { > if ( isset($user['host_regex']) && $user['host_regex'] != "" ) > - $set_host_regex_value="value='" . $user['host_regex'] . "'"; > + $set_host_regex_value="value='" . htmlentities($user['host_regex'], > ENT_QUOTES) . "'"; > else > $set_host_regex_value=""; > > > History > ======= > 30.09.2013 - Issue detected > 22.11.2013 - Verified with 3.5.10 > 22.11.2013 - Notified Vendor > 25.11.2013 - Notified Debian > > > > -- System Information: > Debian Release: jessie/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > _______________________________________________ > Pkg-monitoring-maintainers mailing list > pkg-monitoring-maintain...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-monitoring-maintainers > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
