[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: XSS flaw in Ganglia web interface
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-11-26 17:39:49
Message-ID: 5294DCE5.7020802 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/25/2013 08:54 PM, Murray McAllister wrote:
> Hello,
>
> A cross-site scripting (XSS) flaw was discovered in the Ganglia
> web interface:
>
> https://github.com/ganglia/ganglia-web/issues/218
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730507
>
> Quoting from the original report:
>
> "" Temporary Workaround and Fix ============================ Apply
> the following patch to properly encode the variable:
>
> --- header.php.old 2013-09-30 21:07:26.272287657 +0200 +++
> header.php 2013-09-30 21:09:42.226281990 +0200 @@ -491,7 +491,7
> @@ $data->assign("custom_time", $custom_tim
> /////////////////////////////////////////////////////////////////////////
>
>
if ( $context == "cluster" ) {
> if ( isset($user['host_regex']) && $user['host_regex'] != "" ) -
> $set_host_regex_value="value='" . $user['host_regex'] . "'"; +
> $set_host_regex_value="value='" .
> htmlentities($user['host_regex'], ENT_QUOTES) . "'"; else
> $set_host_regex_value=""; ""
>
> The fix does not apply to the older versions in EPEL (3.0.7 and
> 3.1.7), but I did not test to see if they were affected.
>
> Can a CVE please be assigned if one has not been already?
>
> Thanks,
>
> -- Murray McAllister / Red Hat Security Response Team
Please use CVE-2013-6395 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBAgAGBQJSlNzkAAoJEBYNRVNeJnmTH5cP/11Aq/nP0ZxBpUi6ngjysz8E
5Toc5UQfspL+BJKtyUvyUjJtvCuOQ8pMwOv/3Q3b6Em1u37CMdKyGS8e/yuH13yA
lIE5BgTBSxO1bdHp5wwCMt7AEwjD7f/bR6DSosJy6+xKS+o0Y4qSjDP6WbalwJeQ
iVXPsGWOeenLMUIm9nePJ9TlAXt7zpwJwVpzvXXUtbr7sR33lJdwjl79YVHoy+mK
zDXDh4khSSou8WdzSVHfcaz2rndlKGz+ObHjDZvC5tlfR6JnDCvxi1LQDVVXGl6h
J5N4732hDO2zKmohxM3tdNlMQ60/rMherH6Iy2Hc1QzEatbG/VAq/wFOhd5NRWU9
36H64C12PH9oPLJHEaK0yetIpdzJ4zMLDLmUpBygNBqR5IQRQXVYOBCgnXQMF+w3
sNg3RXJDpwuv8jlDPHh6M12HbExI74DQE+DJOnMFsByDsb800iya2Yt0si6GUURl
6AyVGSPuDxY9Vky3LqtcWqZw/uE7NysGG8at8HIKJ8tzUvRCZ308nLmfoSdS/CiZ
6jhMCvTNGGwN3ll3Tilwg5NvDK7zJ2a0nNZsP4Kp+NmtJCrkh/f2r3AWCnEx+ycv
iVGnrfA99gkjoFePL91ilBOhVRhYpmpvcXPz0MPGgmxs3qaBiz5H9xnUD8wSl/Zc
GDcsOzSQjJAkuV/5GW1Y
=QRIY
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic