Re: [Ganglia-developers] [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes
Vladimir and all: Since it's not easy to setup the env of ganglia webfrontend, I tried to add a trouble-shooting part for the wikipage of ganglia-web as following: == Trouble shooting == * you need to copy `/var/www/ganglia2/apache.conf` (Ubuntu/Debian) or `/var/www/html/ganglia2/apache.conf` (CentOS/RHEL) to `/etc/apache2/sites-enabled`. * In most cases, you need to modify the above apache.conf to make sure the alias /ganglia refers to `/var/www/ganglia2` (Ubuntu/Debian) or `/var/www/html/gangla2` (CentOS/RHEL) . * In most cases, you need to modify `/var/www/ganglia2/conf_default.php` (Ubuntu/Debian) or `/var/www/html/ganglia2` (CentOS/RHEL) to make sure `gweb_confdir` refers to the directory where the directories of `conf` and `dwoo` locate in, such as `/var/lib/ganglia-web` or `/var/lib/ganglia`. * Make sure you have the dir of rrds under `gmetad_root`. * Make sure the above rrds dir should be owned by the user of `nobody`. If you guys think this is not bad, how could I push it into the wikipage? Seems that's not the same process as to submit a patch to the sourcecode. Thank you, -jack -- ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes
I will look into correcting this however in my initial reading there is extremely low amount of risk here. Ganglia Web uses cookies only for things like - Aggregate graphs input field arguments e.g. host regex, metric regex - Which Tab you have open etc. There is no risk on session hijack as we do not use cookies for authentication. Vladimir On 05/29/2015 02:37 AM, Cristovao Cordeiro wrote: Hi, I think I've sent an email about this many months ago. Now after the update, this is the output from skipfish: Summary: The application is missing the 'httpOnly' cookie attribute Vulnerability Detection Result: The cookies ... are missing the httpOnly attribute. Impact: Application Solution: Set the 'httpOnly' attribute for any session cookies. Affected Software/OS: Application with session handling in cookies. Vulnerability Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by _javascript_ which could lead to session hijac! king attacks. Vulnerability Detection Method: Check all cookies sent by the application for a missing 'httpOnly' attribute Details: Missing httpOnly Cookie Attribute Thanks Cumprimentos / Best regards, Cristóvão José Domingues Cordeiro From: Vladimir Vuksan [vli...@veus.hr] Sent: 28 May 2015 22:57 To: Cristovao Cordeiro; ganglia-developers@lists.sourceforge.net; Ganglia Subject: Re: [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes Is there an issue open for this and what are the details ? Vladimir On 05/28/2015 04:40 AM, Cristovao Cordeiro wrote: Hi all, was this issue addressed: NVT: Missing httpOnly Cookie Attribute OID: 1.3.6.1.4.1.25623.1.0.105925 Threat: Medium (CVSS: 5.0) Port: 80/tcp Because after updating I still have it. Any idea on how to solve it? Thanks Cumprimentos / Best regards, Cristóvão José Domingues Cordeiro IT Department - 28/R-018 CERN From: Vladimir Vuksan [vli...@veus.hr] Sent: 21 May 2015 20:22 To: ganglia-developers@lists.sourceforge.net; Ganglia Subject: [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes Hi all, Ganglia Web 3.7.0 has been released. Major highlights are Cubism integration https://github.com/ganglia/ganglia-web/wiki/Cubism-integration Ganglia Reporting https://github.com/ganglia/ganglia-web/wiki/Ganglia-Reports Couple reported XSS issues have been corrected If you are running Ganglia Web on a publicly accessible server you are strongly advised to upgrade ASAP. You can download latest release from here https://sourceforge.net/projects/ganglia/files/ganglia-web/ Installation instructions can be found here https://github.com/ganglia/ganglia-web/wiki#Installation
Re: [Ganglia-developers] [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes
Thanks Jack. I have integrated your changes into the installation Wiki. Vladimir On 05/29/2015 05:16 AM, linu...@linux.vnet.ibm.com wrote: Vladimir and all: Since it's not easy to setup the env of ganglia webfrontend, I tried to add a trouble-shooting part for the wikipage of ganglia-web as following: == Trouble shooting == * you need to copy `/var/www/ganglia2/apache.conf` (Ubuntu/Debian) or `/var/www/html/ganglia2/apache.conf` (CentOS/RHEL) to `/etc/apache2/sites-enabled`. * In most cases, you need to modify the above apache.conf to make sure the alias /ganglia refers to `/var/www/ganglia2` (Ubuntu/Debian) or `/var/www/html/gangla2` (CentOS/RHEL) . * In most cases, you need to modify `/var/www/ganglia2/conf_default.php` (Ubuntu/Debian) or `/var/www/html/ganglia2` (CentOS/RHEL) to make sure `gweb_confdir` refers to the directory where the directories of `conf` and `dwoo` locate in, such as `/var/lib/ganglia-web` or `/var/lib/ganglia`. * Make sure you have the dir of rrds under `gmetad_root`. * Make sure the above rrds dir should be owned by the user of `nobody`. If you guys think this is not bad, how could I push it into the wikipage? Seems that's not the same process as to submit a patch to the sourcecode. Thank you, -jack -- ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes
Is there an issue open for this and what are the details ? Vladimir On 05/28/2015 04:40 AM, Cristovao Cordeiro wrote: Hi all, was this issue addressed: NVT: Missing httpOnly Cookie Attribute OID: 1.3.6.1.4.1.25623.1.0.105925 Threat: Medium (CVSS: 5.0) Port: 80/tcp Because after updating I still have it. Any idea on how to solve it? Thanks Cumprimentos / Best regards, Cristóvão José Domingues Cordeiro IT Department - 28/R-018 CERN From: Vladimir Vuksan [vli...@veus.hr] Sent: 21 May 2015 20:22 To: ganglia-developers@lists.sourceforge.net; Ganglia Subject: [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes Hi all, Ganglia Web 3.7.0 has been released. Major highlights are Cubism integration https://github.com/ganglia/ganglia-web/wiki/Cubism-integration Ganglia Reporting https://github.com/ganglia/ganglia-web/wiki/Ganglia-Reports Couple reported XSS issues have been corrected If you are running Ganglia Web on a publicly accessible server you are strongly advised to upgrade ASAP. You can download latest release from here https://sourceforge.net/projects/ganglia/files/ganglia-web/ Installation instructions can be found here https://github.com/ganglia/ganglia-web/wiki#Installation Vladimir -- ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers