[Secure-testing-team] Bug#730507: ganglia-web: Cross-Site-Scripting Issue in Ganglia-web 3.5.8

Eric Sesterhenn snakebyte at gmx.de
Mon Nov 25 21:35:47 UTC 2013 

Package: ganglia-web
Version: 3.5.8
Severity: grave
Tags: security upstream
Justification: user security hole

Dear Maintainer,

upstream was already notified (https://github.com/ganglia/ganglia-web/issues/218)
but no reaction so far. 

=== Security Advisory ===

Ganglia-Web 3.5.10 - XSS
------------------------------------------------------------

Affected Version
================
At least ganglia-web-3.5.8 and ganglia-web-3.5.10

Problem Overview
================
Technical Risk: medium
Likelihood of Exploitation: medium
Vendor: Open Source / Debian
Reported by: Eric Sesterhenn <snakebyte at gmx.de>
Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013002.txt
Advisory Status: Private

Problem Impact
==============
While taking a quick look at the web interface, a
XSS issue has been found. It is possible to execute JavaScript 
in a victims' browser after tricking the victim into
opening a specially crafted URL.


Problem Description
===================
The following URL opens a JavaScript popup in the users' 
browser:
http://localhost/ganglia-web-3.5.8/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0

The GET variable is retrieved in file get_context.php, line 89
and placed into the variable $user['host_regex'] without
escaping. This variable is then placed into the $set_host_regex_value
variable in file header.php, line 494 and printed at line 518.



Temporary Workaround and Fix
============================
Apply the following patch to properly encode the variable:

--- header.php.old	2013-09-30 21:07:26.272287657 +0200
+++ header.php	2013-09-30 21:09:42.226281990 +0200
@@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim
 /////////////////////////////////////////////////////////////////////////
 if ( $context == "cluster" ) {
   if ( isset($user['host_regex']) && $user['host_regex'] != "" )
-    $set_host_regex_value="value='" . $user['host_regex'] . "'";
+    $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'";
   else
     $set_host_regex_value="";
 

History
=======
30.09.2013 - Issue detected
22.11.2013 - Verified with 3.5.10
22.11.2013 - Notified Vendor
25.11.2013 - Notified Debian



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

More information about the Secure-testing-team mailing list