Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAA7hUgHW=VwfsffPfFxvhZ=fS5fPf=79jZ-tdsCkZJgEfEksjA@mail.gmail.com>
Date: Thu, 21 Feb 2013 14:50:13 +0100
From: Raphael Geissert <atomo64@...il.com>
To: oss-security@...ts.openwall.com
Cc: 700158@...s.debian.org, 700159@...s.debian.org
Subject: Re: CVE request: XSS flaws fixed in ganglia

Hi again,

On 21 February 2013 11:47, Raphael Geissert <atomo64@...il.com> wrote:
> On 8 February 2013 19:06, Vincent Danen <vdanen@...hat.com> wrote:
>> A number of XSS issues were fixed in ganglia's web ui:
>>
>> https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e
>
> I've a hunch that there are a few issues with the changes. A quick
> look at the patch shows that the change here breaks the preg_replace
> call:

Forgot the reference, here's the exact code:
https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L7R17

[Salvatore, thanks for forwarding it]

Some other notes:

* https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e#L9R35

This is a directory traversal issue that requires authentication, but
there doesn't seem to be a CSRF protection in place (unless I'm
missing something).
The (stored) XSS part of it is not entirely fixed for the case where
an attacker successfully took advantage of it since the sanitation is
only performed when storing to the .json file.

The other operations related to views (in views_view.php) are all
still vulnerable to XSS via the view_name GET parameter.


The authentication cookie uses a persistent token for every user (no
session ids or any sort of nonce), which is an issue on its own, but
it also doesn't verify that the group stored in the cookie actually
corresponds to the user. As of 3.5.7 the groups feature still doesn't
seem to be in use, however.


So I guess we are going to need at least one more CVE id for the
remaining XSS issues in views_view.php and I leave the rest up to the
opinion of others (upstream included).

Cheers,
-- 
Raphael Geissert

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.