It is implemented on 3.5.12
Is this fixed on the latest version?
Cumprimentos / Best regards,
Cristóvão José Domingues Cordeiro
IT Department - 28/R-018
CERN
________________________________
From: Vladimir Vuksan [vli...@veus.hr]
Sent: 07 November 2014 22:31
To: Cristovao Jose Domingues Cordeiro; ganglia-general@lists.sourceforge.net
Subject: Re: [Ganglia-general] XSS vulnerabilities in Ganglia web
Hi Cristovao,
what Ganglia Web version was tested ? Is this against latest e.g. 3.6.2 ?
Thanks,
Vladimir
On 04/11/2014 03:35 AM, Cristovao Jose Domingues Cordeiro wrote:
Hi all,
recently I've updated my Ganglia web frontend to the latest version (so I could
perform HTTP queries) and when I issued the security check with skipfish I got
these:
Vulnerabilities found: 33
· Severity: 4, Type: File inclusion
......
......
· Severity: 4, Type: Query injection vector
......
......
· Severity: 4, Type: Shell injection vector
......
......
· Severity: 4, Type: Server-side XML injection vector
......
......
· Severity: 3, Type: Directory traversal / file inclusion possible
······
······
· Severity: 3, Type: XSS vector in document body
......
......
Now, these are too many vulnerabilities, but I don't know if they can affect
the backend of if they just affect the frontend. Do you know?
The XSS vulnerability must be fixed for sure. I've seen some references to this
in your release notes (e.g.
http://www.mail-archive.com/ganglia-general%40lists.sourceforge.net/msg08004.html
) but in fact there if no difference between these last releases and the ones
before that announcement.
Is there a workaround for this? I can not open this Ganglia machine to the
outside world if I don't have this fixed.
------------------------------------------------------------------------------
_______________________________________________
Ganglia-general mailing list
Ganglia-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-general
