XSS in Ganglia-Web 3.5.10 and earlier

[SesterhennEric]

Sorry for reporting this so late, there were some health issues and a vacation in the way.

=== Security Advisory ===

Ganglia-Web 3.5.10 - XSS

Affected Version

At least ganglia-web-3.5.8 and ganglia-web-3.5.10

Problem Overview

Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Open Source / Debian
Reported by: Eric Sesterhenn snakebyte@gmx.de
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
Advisory Status: Private

Problem Impact

While taking a quick look at the web interface, a
XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim into
opening a specially crafted URL.

Problem Description

The following URL opens a JavaScript popup in the users'
browser:
http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0

The GET variable is retrieved in file get_context.php, line 89
and placed into the variable $user['host_regex'] without
escaping. This variable is then placed into the $set_host_regex_value
variable in file header.php, line 494 and printed at line 518.

Temporary Workaround and Fix

Apply the following patch to properly encode the variable:

--- header.php.old 2013-09-30 21:07:26.272287657 +0200
+++ header.php 2013-09-30 21:09:42.226281990 +0200
@@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
/////////////////////////////////////////////////////////////////////////
if ( $context == "cluster" ) {
if ( isset($user['host_regex']) && $user['host_regex'] != "" )

• $set_host_regex_value="value='" . $user['host_regex'] . "'";
• $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'";
  else
  $set_host_regex_value="";

History

30.09.2013 - Issue detected
22.11.2013 - Verified with 3.5.10