ganglia: CVE-2013-0275 and CVE-2013-1770: several XSS flaws

Debian Bug report logs - #700158
ganglia: CVE-2013-0275 and CVE-2013-1770: several XSS flaws

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ganglia: CVE-2013-0275: several XSS flaws

Date: Sat, 09 Feb 2013 09:06:26 +0100

Source: ganglia
Version: 3.3.8-1
Severity: important
Tags: security

Hi

ganglia's Webfrontend part contains several XSS flaws[0] fixed by [1].

 [0] http://security-tracker.debian.org/tracker/CVE-2013-0275
     http://marc.info/?l=oss-security&m=136034779111740&w=2
 [1] https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e

3.3.8-1 in testing and unstable seems affected. Could you also check
stable and in case adjust the affected version in the BTS?

Please include the CVE in the changelog when fixing the issue.

Regards,
Salvatore

Message #10 received at 700158@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 700158@bugs.debian.org, 700159@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#700158: ganglia: CVE-2013-0275: several XSS flaws

Date: Fri, 15 Feb 2013 19:13:25 +0100

Hi Stuart and Daniel

On Sat, Feb 09, 2013 at 09:06:26AM +0100, Salvatore Bonaccorso wrote:
> Source: ganglia
> Version: 3.3.8-1
> Severity: important
> Tags: security
> 
> Hi
> 
> ganglia's Webfrontend part contains several XSS flaws[0] fixed by [1].
> 
>  [0] http://security-tracker.debian.org/tracker/CVE-2013-0275
>      http://marc.info/?l=oss-security&m=136034779111740&w=2
>  [1] https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e
> 
> 3.3.8-1 in testing and unstable seems affected. Could you also check
> stable and in case adjust the affected version in the BTS?
> 
> Please include the CVE in the changelog when fixing the issue.

Any news on this? Would it be possible to prepare an upload with only
the patch for unstable and have it unblocked for Wheezy? (only needed
for ganglia source package).

Regards,
Salvatore

Message #15 received at 700158@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>

To: oss-security@lists.openwall.com

Cc: 700158@bugs.debian.org, 700159@bugs.debian.org

Subject: Re: [oss-security] CVE request: XSS flaws fixed in ganglia

Date: Thu, 21 Feb 2013 11:47:10 +0100

Hi,

On 8 February 2013 19:06, Vincent Danen <vdanen@redhat.com> wrote:
> A number of XSS issues were fixed in ganglia's web ui:
>
> https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e

I've a hunch that there are a few issues with the changes. A quick
look at the patch shows that the change here breaks the preg_replace
call:

- $query_string = preg_replace("/(&trendhistory=)(\d+)/", "", $query_string);
+ $query_string = preg_replace("/(&trendhistory=)(\d+)/", "",
htmlspecialchars($query_string, ENT_QUOTES) );

It looks as if the htmlspecialchars call was misplaced.  Not that it
is a security issue, but it's a bug.

Can anyone forward this upstream? I will try to take a look at the
rest of the patch later.

Cheers,
-- 
Raphael Geissert

Message #20 received at 700158@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: oss-security@lists.openwall.com

Cc: 700158@bugs.debian.org, 700159@bugs.debian.org

Subject: Re: [oss-security] CVE request: XSS flaws fixed in ganglia

Date: Thu, 21 Feb 2013 12:48:11 +0100

Hi Raphael

On Thu, Feb 21, 2013 at 11:47:10AM +0100, Raphael Geissert wrote:
> Hi,
> 
> On 8 February 2013 19:06, Vincent Danen <vdanen@redhat.com> wrote:
> > A number of XSS issues were fixed in ganglia's web ui:
> >
> > https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e
> 
> I've a hunch that there are a few issues with the changes. A quick
> look at the patch shows that the change here breaks the preg_replace
> call:
> 
> - $query_string = preg_replace("/(&trendhistory=)(\d+)/", "", $query_string);
> + $query_string = preg_replace("/(&trendhistory=)(\d+)/", "",
> htmlspecialchars($query_string, ENT_QUOTES) );
> 
> It looks as if the htmlspecialchars call was misplaced.  Not that it
> is a security issue, but it's a bug.
> 
> Can anyone forward this upstream? I will try to take a look at the
> rest of the patch later.

Done as issue #157 for ganglia-web[1].

 [1]: https://github.com/ganglia/ganglia-web/issues/157

Regards,
Salvatore

Message #25 received at 700158@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>

To: oss-security@lists.openwall.com

Cc: 700158@bugs.debian.org, 700159@bugs.debian.org

Subject: Re: [oss-security] CVE request: XSS flaws fixed in ganglia

Date: Thu, 21 Feb 2013 14:50:13 +0100

Hi again,

On 21 February 2013 11:47, Raphael Geissert <atomo64@gmail.com> wrote:
> On 8 February 2013 19:06, Vincent Danen <vdanen@redhat.com> wrote:
>> A number of XSS issues were fixed in ganglia's web ui:
>>
>> https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e
>
> I've a hunch that there are a few issues with the changes. A quick
> look at the patch shows that the change here breaks the preg_replace
> call:

Forgot the reference, here's the exact code:
https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L7R17

[Salvatore, thanks for forwarding it]

Some other notes:

* https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L9R35

This is a directory traversal issue that requires authentication, but
there doesn't seem to be a CSRF protection in place (unless I'm
missing something).
The (stored) XSS part of it is not entirely fixed for the case where
an attacker successfully took advantage of it since the sanitation is
only performed when storing to the .json file.

The other operations related to views (in views_view.php) are all
still vulnerable to XSS via the view_name GET parameter.


The authentication cookie uses a persistent token for every user (no
session ids or any sort of nonce), which is an issue on its own, but
it also doesn't verify that the group stored in the cookie actually
corresponds to the user. As of 3.5.7 the groups feature still doesn't
seem to be in use, however.


So I guess we are going to need at least one more CVE id for the
remaining XSS issues in views_view.php and I leave the rest up to the
opinion of others (upstream included).

Cheers,
-- 
Raphael Geissert

Message #30 received at 700158@bugs.debian.org (full text, mbox, reply):

From: Kurt Seifried <kseifried@redhat.com>

To: oss-security@lists.openwall.com

Cc: Raphael Geissert <atomo64@gmail.com>, 700158@bugs.debian.org, 700159@bugs.debian.org

Subject: Re: [oss-security] CVE request: XSS flaws fixed in ganglia

Date: Tue, 26 Feb 2013 13:33:25 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2013 06:50 AM, Raphael Geissert wrote:
> Hi again,
> 
> On 21 February 2013 11:47, Raphael Geissert <atomo64@gmail.com>
> wrote:
>> On 8 February 2013 19:06, Vincent Danen <vdanen@redhat.com>
>> wrote:
>>> A number of XSS issues were fixed in ganglia's web ui:
>>> 
>>> https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e
>>
>>
>>> 
I've a hunch that there are a few issues with the changes. A quick
>> look at the patch shows that the change here breaks the
>> preg_replace call:
> 
> Forgot the reference, here's the exact code: 
> https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L7R17
>
>  [Salvatore, thanks for forwarding it]
> 
> Some other notes:
> 
> *
> https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L9R35
>
>  This is a directory traversal issue that requires authentication,
> but there doesn't seem to be a CSRF protection in place (unless
> I'm missing something). The (stored) XSS part of it is not entirely
> fixed for the case where an attacker successfully took advantage of
> it since the sanitation is only performed when storing to the .json
> file.
> 
> The other operations related to views (in views_view.php) are all 
> still vulnerable to XSS via the view_name GET parameter.
> 
> 
> The authentication cookie uses a persistent token for every user
> (no session ids or any sort of nonce), which is an issue on its
> own, but it also doesn't verify that the group stored in the cookie
> actually corresponds to the user. As of 3.5.7 the groups feature
> still doesn't seem to be in use, however.
> 
> 
> So I guess we are going to need at least one more CVE id for the 
> remaining XSS issues in views_view.php and I leave the rest up to
> the opinion of others (upstream included).
> 
> Cheers,

Sorry I forgot about this after all the XML excitement. Please use
CVE-2013-1770 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRLRwUAAoJEBYNRVNeJnmT/voQAIODImCIuIzSbo+4gjczgs5g
Zj2oynsTM4cYqZcCKeKqHq7L0Vql/vLOt/P/WzpRzi7FRqIOlSwu3XoZC/PmX8wm
3bqrJxmNRQUZ9rdOBiu77eZ9w6MKBFeuW1Q13JSXGFLJVQK/dUj9qMn1qaGgd2Gz
kTUmTgghqjLi93LWyjvHfheKzkrq9CRsr3u63nrvekJbsFgopoyA3PwxsDeSlnDO
KSMPvYbiO6O6J8eoUMI7XFEb8KMeoqxIYQgIoRN+M+9y3MSPFdC/RuuNwg5NEYwR
uImdjWoc4zUTciajnWD8lmjsMe5HN5HpD4+Aj9Q2+wGUQ6c1pqMcqMHmqrxeY+6N
VFtoJbkVsPHEm3YVLMp14JVQ5/jadJhBiGv7fHxCy8ctmGQxGKaHSK3nrfzExwzc
7JqP6+7Stz592iqXRcItJGgMz891G0M5wrOu6h+GLMVRZuQhjmXFHolArfYUsBBH
TczXZXz44z4TwWYfA+mJ0aFpuPNI1BkasGBthsYpBuVVlrLgWvWrAm8180dXDE6C
8LXrtxJljuwXJv4sa4YquYvGF8WMnWPWzN4wscLhJ1yjAl1YKGolHoFab1MK7/4w
Ggs+qd/DMicxSth4BwkbS7r/sO/epGMox0AfzmiPEt/jWArSVQCN8iY5R41u56+/
OXQL2Nb/xQjXYjnF2JfJ
=L3sJ
-----END PGP SIGNATURE-----

Message #41 received at 700158@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: atomo64@gmail.com

Cc: 700158@bugs.debian.org, 700159@bugs.debian.org

Subject: XSS flaws in ganglia

Date: Tue, 5 Mar 2013 15:26:46 +0100

Hi Raphael, Ganglia maintainers

On Thu, Feb 21, 2013 at 02:50:13PM +0100, Raphael Geissert wrote:
> The other operations related to views (in views_view.php) are all
> still vulnerable to XSS via the view_name GET parameter.

Also reported this now to upstream issue tracker, sorry for the delay.

https://github.com/ganglia/ganglia-web/issues/160

Please include also the CVE for this issue in the changelog when
fixing the issue, it's assigned CVE-2013-1770.

Regards,
Salvatore

Message #46 received at 700158@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 700158@bugs.debian.org, 700159@bugs.debian.org

Cc: atomo64@gmail.com

Subject: Re: Bug#700158: XSS flaws in ganglia

Date: Wed, 6 Mar 2013 21:31:43 +0100

On Tue, Mar 05, 2013 at 03:26:46PM +0100, Salvatore Bonaccorso wrote:
> Hi Raphael, Ganglia maintainers
> 
> On Thu, Feb 21, 2013 at 02:50:13PM +0100, Raphael Geissert wrote:
> > The other operations related to views (in views_view.php) are all
> > still vulnerable to XSS via the view_name GET parameter.
> 
> Also reported this now to upstream issue tracker, sorry for the delay.
> 
> https://github.com/ganglia/ganglia-web/issues/160
> 
> Please include also the CVE for this issue in the changelog when
> fixing the issue, it's assigned CVE-2013-1770.

Upstream commited a fix for this issue:

https://github.com/ganglia/ganglia-web/commit/552965f33bf79d41ccbec3f1f26840c8bab54ad6

Regards,
Salvatore

Message #51 received at 700158@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 700158@bugs.debian.org

Subject: re: XSS flaws in ganglia

Date: Mon, 8 Apr 2013 19:27:04 -0400

control: severity -1 important

This issues are outside the scope of security support for ganglia.

Best wishes,
Mike

Send a report that this bug log contains spam.