oss-sec mailing list archives
Re: CVE request: XSS flaws fixed in ganglia
From: Raphael Geissert <atomo64 () gmail com>
Date: Thu, 21 Feb 2013 14:50:13 +0100
Hi again, On 21 February 2013 11:47, Raphael Geissert <atomo64 () gmail com> wrote:
On 8 February 2013 19:06, Vincent Danen <vdanen () redhat com> wrote:A number of XSS issues were fixed in ganglia's web ui: https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058eI've a hunch that there are a few issues with the changes. A quick look at the patch shows that the change here breaks the preg_replace call:
Forgot the reference, here's the exact code: https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L7R17 [Salvatore, thanks for forwarding it] Some other notes: * https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L9R35 This is a directory traversal issue that requires authentication, but there doesn't seem to be a CSRF protection in place (unless I'm missing something). The (stored) XSS part of it is not entirely fixed for the case where an attacker successfully took advantage of it since the sanitation is only performed when storing to the .json file. The other operations related to views (in views_view.php) are all still vulnerable to XSS via the view_name GET parameter. The authentication cookie uses a persistent token for every user (no session ids or any sort of nonce), which is an issue on its own, but it also doesn't verify that the group stored in the cookie actually corresponds to the user. As of 3.5.7 the groups feature still doesn't seem to be in use, however. So I guess we are going to need at least one more CVE id for the remaining XSS issues in views_view.php and I leave the rest up to the opinion of others (upstream included). Cheers, -- Raphael Geissert
Current thread:
- CVE request: XSS flaws fixed in ganglia Vincent Danen (Feb 08)
- Re: CVE request: XSS flaws fixed in ganglia Kurt Seifried (Feb 08)
- Re: CVE request: XSS flaws fixed in ganglia Raphael Geissert (Feb 21)
- Re: CVE request: XSS flaws fixed in ganglia Salvatore Bonaccorso (Feb 21)
- Re: CVE request: XSS flaws fixed in ganglia Raphael Geissert (Feb 21)
- Re: CVE request: XSS flaws fixed in ganglia Kurt Seifried (Feb 26)
- Re: CVE request: XSS flaws fixed in ganglia Raphael Geissert (Mar 20)