I recall trying this out on 3.6.2 and I
couldn't reproduce it so if you could run this against 3.6.2 and
see if you can reproduce it that would be really helpful.
Vladimir
On 11/07/2014 04:50 PM, Cristovao Jose Domingues Cordeiro wrote:
It is implemented on 3.5.12
Is this fixed on the latest version?
Cumprimentos / Best regards,
Cristóvão José Domingues Cordeiro
IT Department - 28/R-018
CERN
Hi Cristovao,
what Ganglia Web version was tested ? Is this against
latest e.g. 3.6.2 ?
Thanks,
Vladimir
On 04/11/2014 03:35 AM, Cristovao Jose Domingues
Cordeiro wrote:
Hi all,
recently I've updated my Ganglia web frontend to the
latest version (so I could perform HTTP queries) and
when I issued the security check with skipfish I got
these:
Vulnerabilities found: 33
· Severity: 4,
Type: File inclusion
......
......
· Severity: 4,
Type: Query injection vector
......
......
· Severity: 4,
Type: Shell injection vector
......
......
· Severity: 4,
Type: Server-side XML injection vector
......
......
· Severity: 3,
Type: Directory traversal / file inclusion
possible
······
······
· Severity: 3,
Type: XSS vector in document body
......
......
Now, these are too many vulnerabilities, but I don't
know if they can affect the backend of if they just
affect the frontend. Do you know?
The XSS vulnerability must be fixed for sure. I've
seen some references to this in your release notes
(e.g.
http://www.mail-archive.com/ganglia-general%40lists.sourceforge.net/msg08004.html
) but in fact there if no difference between these
last releases and the ones before that announcement.
Is there a workaround for this? I can not open this
Ganglia machine to the outside world if I don't have
this fixed.
|
------------------------------------------------------------------------------
_______________________________________________
Ganglia-general mailing list
Ganglia-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-general