It is implemented on 3.5.12 Is this fixed on the latest version? Cumprimentos / Best regards, Cristóvão José Domingues Cordeiro IT Department - 28/R-018 CERN ________________________________ From: Vladimir Vuksan [vli...@veus.hr] Sent: 07 November 2014 22:31 To: Cristovao Jose Domingues Cordeiro; ganglia-general@lists.sourceforge.net Subject: Re: [Ganglia-general] XSS vulnerabilities in Ganglia web
Hi Cristovao, what Ganglia Web version was tested ? Is this against latest e.g. 3.6.2 ? Thanks, Vladimir On 04/11/2014 03:35 AM, Cristovao Jose Domingues Cordeiro wrote: Hi all, recently I've updated my Ganglia web frontend to the latest version (so I could perform HTTP queries) and when I issued the security check with skipfish I got these: Vulnerabilities found: 33 · Severity: 4, Type: File inclusion ...... ...... · Severity: 4, Type: Query injection vector ...... ...... · Severity: 4, Type: Shell injection vector ...... ...... · Severity: 4, Type: Server-side XML injection vector ...... ...... · Severity: 3, Type: Directory traversal / file inclusion possible ······ ······ · Severity: 3, Type: XSS vector in document body ...... ...... Now, these are too many vulnerabilities, but I don't know if they can affect the backend of if they just affect the frontend. Do you know? The XSS vulnerability must be fixed for sure. I've seen some references to this in your release notes (e.g. http://www.mail-archive.com/ganglia-general%40lists.sourceforge.net/msg08004.html ) but in fact there if no difference between these last releases and the ones before that announcement. Is there a workaround for this? I can not open this Ganglia machine to the outside world if I don't have this fixed.
------------------------------------------------------------------------------
_______________________________________________ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general