Debian Bug report logs -
#730507
ganglia-web: CVE-2013-6395: XSS flaw in Ganglia web interface
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>
:
Bug#730507
; Package ganglia-web
.
(Mon, 25 Nov 2013 21:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sesterhenn <snakebyte@gmx.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>
.
(Mon, 25 Nov 2013 21:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ganglia-web
Version: 3.5.8
Severity: grave
Tags: security upstream
Justification: user security hole
Dear Maintainer,
upstream was already notified (https://github.com/ganglia/ganglia-web/issues/218)
but no reaction so far.
=== Security Advisory ===
Ganglia-Web 3.5.10 - XSS
------------------------------------------------------------
Affected Version
================
At least ganglia-web-3.5.8 and ganglia-web-3.5.10
Problem Overview
================
Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Open Source / Debian
Reported by: Eric Sesterhenn <snakebyte@gmx.de>
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
Advisory Status: Private
Problem Impact
==============
While taking a quick look at the web interface, a
XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim into
opening a specially crafted URL.
Problem Description
===================
The following URL opens a JavaScript popup in the users'
browser:
http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0
The GET variable is retrieved in file get_context.php, line 89
and placed into the variable $user['host_regex'] without
escaping. This variable is then placed into the $set_host_regex_value
variable in file header.php, line 494 and printed at line 518.
Temporary Workaround and Fix
============================
Apply the following patch to properly encode the variable:
--- header.php.old 2013-09-30 21:07:26.272287657 +0200
+++ header.php 2013-09-30 21:09:42.226281990 +0200
@@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
/////////////////////////////////////////////////////////////////////////
if ( $context == "cluster" ) {
if ( isset($user['host_regex']) && $user['host_regex'] != "" )
- $set_host_regex_value="value='" . $user['host_regex'] . "'";
+ $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'";
else
$set_host_regex_value="";
History
=======
30.09.2013 - Issue detected
22.11.2013 - Verified with 3.5.10
22.11.2013 - Notified Vendor
25.11.2013 - Notified Debian
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>
:
Bug#730507
; Package ganglia-web
.
(Mon, 25 Nov 2013 22:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Pocock <daniel@pocock.com.au>
:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>
.
(Mon, 25 Nov 2013 22:18:05 GMT) (full text, mbox, link).
Message #10 received at 730507@bugs.debian.org (full text, mbox, reply):
Hi Eric,
The security team recently made an assessment of Ganglia and decided to
only provide limited security support for the web interface.
Normally the web interface is only used by knowledgeable users and
protected by some kind of web server ACL or HTTP authentication scheme.
At best, pkg-monitoring will continue packaging the upstream releases
and people can use them as they are.
As well as helping with the Debian packages, I'm also an upstream
committer, so please submit your fix as a github pull request upstream
and if nobody else processes I can accept it through there and it will
then come through the next upstream release into Debian.
Can you please let me know if this explanation is acceptable, lower the
severity to important and let me know if you would like to get more
involved with the Ganglia development
Thanks for the report
Regards,
Daniel
On 25/11/13 22:35, Eric Sesterhenn wrote:
> Package: ganglia-web
> Version: 3.5.8
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Dear Maintainer,
>
> upstream was already notified (https://github.com/ganglia/ganglia-web/issues/218)
> but no reaction so far.
>
> === Security Advisory ===
>
> Ganglia-Web 3.5.10 - XSS
> ------------------------------------------------------------
>
> Affected Version
> ================
> At least ganglia-web-3.5.8 and ganglia-web-3.5.10
>
> Problem Overview
> ================
> Technical Risk: medium
> Likelihood of Exploitation: medium
> Vendor: Open Source / Debian
> Reported by: Eric Sesterhenn <snakebyte@gmx.de>
> Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
> Advisory Status: Private
>
> Problem Impact
> ==============
> While taking a quick look at the web interface, a
> XSS issue has been found. It is possible to execute JavaScript
> in a victims' browser after tricking the victim into
> opening a specially crafted URL.
>
>
> Problem Description
> ===================
> The following URL opens a JavaScript popup in the users'
> browser:
> http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0
>
> The GET variable is retrieved in file get_context.php, line 89
> and placed into the variable $user['host_regex'] without
> escaping. This variable is then placed into the $set_host_regex_value
> variable in file header.php, line 494 and printed at line 518.
>
>
>
> Temporary Workaround and Fix
> ============================
> Apply the following patch to properly encode the variable:
>
> --- header.php.old 2013-09-30 21:07:26.272287657 +0200
> +++ header.php 2013-09-30 21:09:42.226281990 +0200
> @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
> /////////////////////////////////////////////////////////////////////////
> if ( $context == "cluster" ) {
> if ( isset($user['host_regex']) && $user['host_regex'] != "" )
> - $set_host_regex_value="value='" . $user['host_regex'] . "'";
> + $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'";
> else
> $set_host_regex_value="";
>
>
> History
> =======
> 30.09.2013 - Issue detected
> 22.11.2013 - Verified with 3.5.10
> 22.11.2013 - Notified Vendor
> 25.11.2013 - Notified Debian
>
>
>
> -- System Information:
> Debian Release: jessie/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> _______________________________________________
> Pkg-monitoring-maintainers mailing list
> Pkg-monitoring-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-monitoring-maintainers
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>
:
Bug#730507
; Package ganglia-web
.
(Tue, 26 Nov 2013 07:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sesterhenn <snakebyte@gmx.de>
:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>
.
(Tue, 26 Nov 2013 07:09:05 GMT) (full text, mbox, link).
Message #15 received at 730507@bugs.debian.org (full text, mbox, reply):
Hello Daniel,
* Daniel Pocock (daniel@pocock.com.au) wrote:
>
> Hi Eric,
>
> The security team recently made an assessment of Ganglia and decided to
> only provide limited security support for the web interface.
>
> Normally the web interface is only used by knowledgeable users and
> protected by some kind of web server ACL or HTTP authentication scheme.
>
> At best, pkg-monitoring will continue packaging the upstream releases
> and people can use them as they are.
>
> As well as helping with the Debian packages, I'm also an upstream
> committer, so please submit your fix as a github pull request upstream
> and if nobody else processes I can accept it through there and it will
> then come through the next upstream release into Debian.
I just submitted the pull request, you can see my branch here:
https://github.com/SesterhennEric/ganglia-web
> Can you please let me know if this explanation is acceptable, lower the
> severity to important and let me know if you would like to get more
> involved with the Ganglia development
I am just browsing random packages while commuting to work and see what pops up,
so I am not getting highly involved in Ganglia.
Best regards,
Eric
> Thanks for the report
>
> Regards,
>
> Daniel
>
>
> On 25/11/13 22:35, Eric Sesterhenn wrote:
> > Package: ganglia-web
> > Version: 3.5.8
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> >
> > Dear Maintainer,
> >
> > upstream was already notified (https://github.com/ganglia/ganglia-web/issues/218)
> > but no reaction so far.
> >
> > === Security Advisory ===
> >
> > Ganglia-Web 3.5.10 - XSS
> > ------------------------------------------------------------
> >
> > Affected Version
> > ================
> > At least ganglia-web-3.5.8 and ganglia-web-3.5.10
> >
> > Problem Overview
> > ================
> > Technical Risk: medium
> > Likelihood of Exploitation: medium
> > Vendor: Open Source / Debian
> > Reported by: Eric Sesterhenn <snakebyte@gmx.de>
> > Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
> > Advisory Status: Private
> >
> > Problem Impact
> > ==============
> > While taking a quick look at the web interface, a
> > XSS issue has been found. It is possible to execute JavaScript
> > in a victims' browser after tricking the victim into
> > opening a specially crafted URL.
> >
> >
> > Problem Description
> > ===================
> > The following URL opens a JavaScript popup in the users'
> > browser:
> > http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0
> >
> > The GET variable is retrieved in file get_context.php, line 89
> > and placed into the variable $user['host_regex'] without
> > escaping. This variable is then placed into the $set_host_regex_value
> > variable in file header.php, line 494 and printed at line 518.
> >
> >
> >
> > Temporary Workaround and Fix
> > ============================
> > Apply the following patch to properly encode the variable:
> >
> > --- header.php.old 2013-09-30 21:07:26.272287657 +0200
> > +++ header.php 2013-09-30 21:09:42.226281990 +0200
> > @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
> > /////////////////////////////////////////////////////////////////////////
> > if ( $context == "cluster" ) {
> > if ( isset($user['host_regex']) && $user['host_regex'] != "" )
> > - $set_host_regex_value="value='" . $user['host_regex'] . "'";
> > + $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'";
> > else
> > $set_host_regex_value="";
> >
> >
> > History
> > =======
> > 30.09.2013 - Issue detected
> > 22.11.2013 - Verified with 3.5.10
> > 22.11.2013 - Notified Vendor
> > 25.11.2013 - Notified Debian
> >
> >
> >
> > -- System Information:
> > Debian Release: jessie/sid
> > APT prefers testing
> > APT policy: (500, 'testing')
> > Architecture: amd64 (x86_64)
> > Foreign Architectures: i386
> >
> > Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> >
> > _______________________________________________
> > Pkg-monitoring-maintainers mailing list
> > Pkg-monitoring-maintainers@lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-monitoring-maintainers
> >
Changed Bug title to 'ganglia-web: CVE-2013-6395: XSS flaw in Ganglia web interface' from 'ganglia-web: Cross-Site-Scripting Issue in Ganglia-web 3.5.8'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 26 Nov 2013 20:27:16 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from Daniel Pocock <daniel@pocock.com.au>
to control@bugs.debian.org
.
(Wed, 27 Nov 2013 09:48:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:23:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.