Bug 11782 - ganglia-web new security issue CVE-2013-6395
: ganglia-web new security issue CVE-2013-6395
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/575366/
: advisory has_procedure MGA3-64-OK MGA...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-26 18:57 CET by David Walser
Modified: 2013-12-02 16:43 CET (History)
4 users (show)

See Also:
Source RPM: ganglia-web-3.5.10-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-26 18:57:56 CET
An XSS vulnerability in ganglia-web 3.5.10 was reported:
http://openwall.com/lists/oss-security/2013/11/26/4

It was assigned CVE-2013-6395:
http://openwall.com/lists/oss-security/2013/11/26/12

The patch in the first oss-security message is the same as the one in the debian bug, but it looks like a different patch was submitted in the github pull request mentioned on the debian bug:
https://github.com/SesterhennEric/ganglia-web/commit/91f9d9893f0a349521710a542af09ba2d69dcf81

I'm not sure if version 3.5.4 in Mageia 3 is affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Johnny A. Solbu 2013-11-29 16:28:18 CET
(In reply to David Walser from comment #0)
> I'm not sure if version 3.5.4 in Mageia 3 is affected.

How do we find out? Apply the patch to it and try building it?
Comment 2 David Walser 2013-11-29 16:32:31 CET
(In reply to Johnny A. Solbu from comment #1)
> (In reply to David Walser from comment #0)
> > I'm not sure if version 3.5.4 in Mageia 3 is affected.
> 
> How do we find out? Apply the patch to it and try building it?

Yeah, if the affected code looks reasonably similar, it's probably affected.  If you're really unsure, maybe asking upstream could help too.
Comment 3 Johnny A. Solbu 2013-11-29 16:48:09 CET
Fixed and submitted to Cauldron
Comment 4 David Walser 2013-11-29 16:53:25 CET
Thanks Johnny!  Fixed in ganglia-web-3.5.10-3.mga4.

The upstream advisory contains more information that may be helpful:
http://www.rusty-ice.de/advisory/advisory_2013002.txt

Under problem description there is a sample URL you can use as a proof of concept to reproduce the vulnerability.  You could use that to test the Mageia 3 version to see if it's affected (as well as verifying that it's now fixed in Cauldron).
Comment 5 Johnny A. Solbu 2013-11-29 17:04:38 CET
(In reply to David Walser from comment #4)
> Under problem description there is a sample URL you can use as a proof of
> concept to reproduce the vulnerability.  You could use that to test the
> Mageia 3 version to see if it's affected

And it sems to also affect mga3. When I patched and installed the patched version, the popup didn't appear. Will commit the fix for mga3 in a few minutes.
Comment 6 Johnny A. Solbu 2013-11-29 17:27:51 CET
I have uploaded updated packages for mageia 3

Suggested advisory:
===
It is possible to execute JavaScript in a victims' browser after tricking the victim into opening a specially crafted URL.
This update fixes this.
===

Source RPM:
ganglia-web-3.5.4-2.1.mga3.src.rpm

Updated mageia 3 packages in core/updates_testing:
ganglia-web-3.5.4-2.1.mga3
Comment 7 David Walser 2013-11-29 21:01:37 CET
Thanks Johnny!

Advisory:
========================

Updated ganglia-web package fixes security vulnerability:

XSS issue in ganglia-web makes it possible to execute JavaScript in victims'
browser after tricking the victim into opening a specially crafted URL
(CVE-2013-6395).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6395
http://www.rusty-ice.de/advisory/advisory_2013002.txt
========================

Updated packages in core/updates_testing:
========================
ganglia-web-3.5.4-2.1.mga3

from ganglia-web-3.5.4-2.1.mga3.src.rpm
Comment 8 Dave Hodgins 2013-11-30 14:06:53 CET
Advisory 11782.adv committed to svn.

Note there is a poc in the referenced advisory.
Comment 9 Dave Hodgins 2013-11-30 16:07:29 CET
On Mageia 3, i586, before installing the update,
http://localhost/ganglia/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0
does execute the javascript.

Also noticed error from systemctl -a status gmond.service ...
Nov 30 09:45:47 i3v.hodgins.homeip.net systemd[1]: Started Ganglia Meta Daemon.
Nov 30 09:45:47 i3v.hodgins.homeip.net /usr/sbin/gmond[5059]: [PYTHON] Can't open the python module path /usr/lib/ganglia/python_modules.
Nov 30 09:45:47 i3v.hodgins.homeip.net /usr/sbin/gmond[5059]: Module python_module failed to initialize.

ganglia-web is working, but it doesn't appear that gmond is actually
gathering any data.

On Mageia 3, x86_64, despite a similar error, /usr/lib64 instead of /usr/lib,
it's clear it is gathering data.

After installing the update, the javascript does not get executed.

I'll open a bug report for ganglia-core on i586, then validate this update.
Comment 10 Dave Hodgins 2013-11-30 16:11:04 CET
Bug 11835 opened for the data gathering problem on i586.

Someone from the sysadmin team please push 11782.adv to updates.
Comment 11 Thomas Backlund 2013-11-30 22:48:54 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0361.html

Note You need to log in before you can comment on or make changes to this bug.