Sorry for reporting this so late, there were some health issues and a vacation in the way.
=== Security Advisory ===
Ganglia-Web 3.5.10 - XSS
Affected Version
At least ganglia-web-3.5.8 and ganglia-web-3.5.10
Problem Overview
Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Open Source / Debian
Reported by: Eric Sesterhenn snakebyte@gmx.de
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
Advisory Status: Private
Problem Impact
While taking a quick look at the web interface, a
XSS issue has been found. It is possible to execute JavaScript
in a victims' browser after tricking the victim into
opening a specially crafted URL.
The GET variable is retrieved in file get_context.php, line 89
and placed into the variable $user['host_regex'] without
escaping. This variable is then placed into the $set_host_regex_value
variable in file header.php, line 494 and printed at line 518.
Temporary Workaround and Fix
Apply the following patch to properly encode the variable:
Sorry for reporting this so late, there were some health issues and a vacation in the way.
=== Security Advisory ===
Ganglia-Web 3.5.10 - XSS
Affected Version
At least ganglia-web-3.5.8 and ganglia-web-3.5.10
Problem Overview
Technical Risk: medium Likelihood of Exploitation: medium Vendor: Open Source / Debian Reported by: Eric Sesterhenn snakebyte@gmx.de Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt Advisory Status: Private
Problem Impact
While taking a quick look at the web interface, a XSS issue has been found. It is possible to execute JavaScript in a victims' browser after tricking the victim into opening a specially crafted URL.
Problem Description
The following URL opens a JavaScript popup in the users' browser: http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0
The GET variable is retrieved in file get_context.php, line 89 and placed into the variable $user['host_regex'] without escaping. This variable is then placed into the $set_host_regex_value variable in file header.php, line 494 and printed at line 518.
Temporary Workaround and Fix
Apply the following patch to properly encode the variable:
--- header.php.old 2013-09-30 21:07:26.272287657 +0200 +++ header.php 2013-09-30 21:09:42.226281990 +0200 @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim ///////////////////////////////////////////////////////////////////////// if ( $context == "cluster" ) { if ( isset($user['host_regex']) && $user['host_regex'] != "" )
History
30.09.2013 - Issue detected 22.11.2013 - Verified with 3.5.10