[Ganglia-developers] XSS patches + gridwalk

Tue, 08 Apr 2008 16:21:02 -0700 

Hi Alex:

Looks like we need to re-visit the XSS patches again.  It looks like
some changes are preventing gridwalk from working.

In the following two patches:

http://ganglia.svn.sourceforge.net/viewvc/ganglia/branches/monitor-core-3.0-beta/web/get_context.php?r1=905&r2=904&pathrev=905
http://ganglia.svn.sourceforge.net/viewvc/ganglia/branches/monitor-core-3.0-beta/web/header.php?r1=905&r2=904&pathrev=905

Specifically on $gridstack.

You changed the explosion string from ">" to ":" probably because ">"
will get converted when you run clean_string() on
rawurldecode($_GET["gs"]).  However, gs is in the form
"[EMAIL PROTECTED]>[EMAIL PROTECTED]" where "url" includes "http://"; and thus 
using ":"
as the explosion string wouldn't work here.

Instead of the changes you made, I suggest that we change the
explosion string back to ">" but instead of running clean_string() on
the entire rawurldecode($_GET["gs"]) array, I suggest we drill down
and run clean_string() on each element.  The following patch against
get_context.php is what I mean:

Index: get_context.php
===================================================================
--- get_context.php     (revision 1139)
+++ get_context.php     (working copy)
@@ -43,10 +43,13 @@
     escapeshellcmd($_GET["z"]) : NULL;
 # A stack of grid parents. Prefer a GET variable, default to cookie.
 if (isset($_GET["gs"]) and $_GET["gs"])
-      $gridstack = explode(":", clean_string( rawurldecode($_GET["gs"] ) ) );
+      $gridstack = explode(">", rawurldecode($_GET["gs"] ) );
 else
-      $gridstack = explode(":", clean_string( $_COOKIE["gs"] ) );
+      $gridstack = explode(">", $_COOKIE["gs"] );

+foreach ($gridstack as $gp)
+   $gp = clean_string($gp);
+
 # Assume we are the first grid visited in the tree if there are no
CGI variables,
 # or gridstack is not well formed. Gridstack always has at least one element.
 if (!count($_GET) or !strstr($gridstack[0], "http://";))

Makes sense?

Thanks,

Bernard

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Ganglia-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ganglia-developers

Reply via email to