While taking a quick look at the web interface, a
XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim into
opening a specially crafted URL.
The GET variable is retrieved in file get_context.php, line 89
and placed into the variable $user['host_regex'] without
escaping. This variable is then placed into the $set_host_regex_value
variable in file header.php, line 494 and printed at line 518.
Temporary Workaround and Fix
Apply the following patch to properly encode the variable:
Sorry for reporting this so late, there were some health issues and a vacation in the way.
=== Security Advisory ===
Ganglia-Web 3.5.10 - XSS
Affected Version
At least ganglia-web-3.5.8 and ganglia-web-3.5.10
Problem Overview
Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Open Source / Debian
Reported by: Eric Sesterhenn snakebyte@gmx.de
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
Advisory Status: Private
Problem Impact
While taking a quick look at the web interface, a
XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim into
opening a specially crafted URL.
Problem Description
The following URL opens a JavaScript popup in the users'
browser:
http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0
The GET variable is retrieved in file get_context.php, line 89
and placed into the variable $user['host_regex'] without
escaping. This variable is then placed into the $set_host_regex_value
variable in file header.php, line 494 and printed at line 518.
Temporary Workaround and Fix
Apply the following patch to properly encode the variable:
--- header.php.old 2013-09-30 21:07:26.272287657 +0200
+++ header.php 2013-09-30 21:09:42.226281990 +0200
@@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
/////////////////////////////////////////////////////////////////////////
if ( $context == "cluster" ) {
if ( isset($user['host_regex']) && $user['host_regex'] != "" )
else
$set_host_regex_value="";
History
30.09.2013 - Issue detected
22.11.2013 - Verified with 3.5.10
The text was updated successfully, but these errors were encountered: