Skip to content

XSS in Ganglia-Web 3.5.10 and earlier #218

Closed
SesterhennEric opened this Issue Nov 22, 2013 · 0 comments

2 participants

@SesterhennEric

Sorry for reporting this so late, there were some health issues and a vacation in the way.

=== Security Advisory ===

Ganglia-Web 3.5.10 - XSS

Affected Version

At least ganglia-web-3.5.8 and ganglia-web-3.5.10

Problem Overview

Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Open Source / Debian
Reported by: Eric Sesterhenn snakebyte@gmx.de
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
Advisory Status: Private

Problem Impact

While taking a quick look at the web interface, a
XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim into
opening a specially crafted URL.

Problem Description

The following URL opens a JavaScript popup in the users'
browser:
http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0

The GET variable is retrieved in file get_context.php, line 89
and placed into the variable $user['host_regex'] without
escaping. This variable is then placed into the $set_host_regex_value
variable in file header.php, line 494 and printed at line 518.

Temporary Workaround and Fix

Apply the following patch to properly encode the variable:

--- header.php.old 2013-09-30 21:07:26.272287657 +0200
+++ header.php 2013-09-30 21:09:42.226281990 +0200
@@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
/////////////////////////////////////////////////////////////////////////
if ( $context == "cluster" ) {
if ( isset($user['host_regex']) && $user['host_regex'] != "" )

  • $set_host_regex_value="value='" . $user['host_regex'] . "'";
  • $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'"; else $set_host_regex_value="";

History

30.09.2013 - Issue detected
22.11.2013 - Verified with 3.5.10

@vvuksan vvuksan added a commit that referenced this issue Dec 31, 2013
@vvuksan vvuksan Fix for #218 fbdf265
@vvuksan vvuksan closed this Dec 31, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.