Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: XSS flaws fixed in ganglia
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 26 Feb 2013 13:33:25 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2013 06:50 AM, Raphael Geissert wrote:
Hi again,

On 21 February 2013 11:47, Raphael Geissert <atomo64 () gmail com>
wrote:
On 8 February 2013 19:06, Vincent Danen <vdanen () redhat com>
wrote:
A number of XSS issues were fixed in ganglia's web ui:

https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e



I've a hunch that there are a few issues with the changes. A quick
look at the patch shows that the change here breaks the
preg_replace call:

Forgot the reference, here's the exact code: 
https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L7R17

 [Salvatore, thanks for forwarding it]

Some other notes:

*
https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L9R35

 This is a directory traversal issue that requires authentication,
but there doesn't seem to be a CSRF protection in place (unless
I'm missing something). The (stored) XSS part of it is not entirely
fixed for the case where an attacker successfully took advantage of
it since the sanitation is only performed when storing to the .json
file.

The other operations related to views (in views_view.php) are all 
still vulnerable to XSS via the view_name GET parameter.


The authentication cookie uses a persistent token for every user
(no session ids or any sort of nonce), which is an issue on its
own, but it also doesn't verify that the group stored in the cookie
actually corresponds to the user. As of 3.5.7 the groups feature
still doesn't seem to be in use, however.


So I guess we are going to need at least one more CVE id for the 
remaining XSS issues in views_view.php and I leave the rest up to
the opinion of others (upstream included).

Cheers,

Sorry I forgot about this after all the XML excitement. Please use
CVE-2013-1770 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRLRwUAAoJEBYNRVNeJnmT/voQAIODImCIuIzSbo+4gjczgs5g
Zj2oynsTM4cYqZcCKeKqHq7L0Vql/vLOt/P/WzpRzi7FRqIOlSwu3XoZC/PmX8wm
3bqrJxmNRQUZ9rdOBiu77eZ9w6MKBFeuW1Q13JSXGFLJVQK/dUj9qMn1qaGgd2Gz
kTUmTgghqjLi93LWyjvHfheKzkrq9CRsr3u63nrvekJbsFgopoyA3PwxsDeSlnDO
KSMPvYbiO6O6J8eoUMI7XFEb8KMeoqxIYQgIoRN+M+9y3MSPFdC/RuuNwg5NEYwR
uImdjWoc4zUTciajnWD8lmjsMe5HN5HpD4+Aj9Q2+wGUQ6c1pqMcqMHmqrxeY+6N
VFtoJbkVsPHEm3YVLMp14JVQ5/jadJhBiGv7fHxCy8ctmGQxGKaHSK3nrfzExwzc
7JqP6+7Stz592iqXRcItJGgMz891G0M5wrOu6h+GLMVRZuQhjmXFHolArfYUsBBH
TczXZXz44z4TwWYfA+mJ0aFpuPNI1BkasGBthsYpBuVVlrLgWvWrAm8180dXDE6C
8LXrtxJljuwXJv4sa4YquYvGF8WMnWPWzN4wscLhJ1yjAl1YKGolHoFab1MK7/4w
Ggs+qd/DMicxSth4BwkbS7r/sO/epGMox0AfzmiPEt/jWArSVQCN8iY5R41u56+/
OXQL2Nb/xQjXYjnF2JfJ
=L3sJ
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault