oss-sec mailing list archives
Re: CVE request: Ganglia-web auth bypass
From: cve-assign () mitre org
Date: Sat, 5 Sep 2015 12:36:37 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://github.com/ganglia/ganglia-web/blob/4e98ea69e0e18b388cdc73809ce54843a16ff87b/lib/GangliaAuth.php#L34-L46 It's easy to bypass auth by using boolean serialization
https://github.com/ganglia/ganglia-web/issues/267
https://github.com/ganglia/ganglia-web/issues/267#issuecomment-137822654 sounds like strict equality checking would resolve the problem?
Use CVE-2015-6816. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV6xmvAAoJEL54rhJi8gl5+G0QAKv+ZGG1HffLYkr8ETEAzRni 2+VBHL4L62xQW1ng1Ibad36PsBKzOWb3YqMzOmVyQDhBC8CBp7cQ11WDbFsP14B7 rC6crlmq3CkLDCMOrMnskVm1o5XYesFkoE4KhmOSDxNjDo5wfcak2/JYOqMfM4dz OxKG5KU8srfhS2/NL5Y+DlS4c/9lfcwfFxDFgsfANZU73XHYWgL/wDWCnMFGJs0J 7x5W+EtbGk5lwuBQEW3l/rMlIjoK9tGF86JC0D0yDnzFp0ZufKaPyb8zDAhl1Vgf EWGOT4yY64CWFx7Ztoi62hAAX599cUdkdNmocii4LWF6GHl7IiXku7WpwYSUew7x 5ma4M11dJo1/NrtXeZLMzcegddEFKyU/fKsOEOoGj2wXKPoE1ujsgcpr05Grs956 P0yg1/daDXVXQx3uWIseBmw9natbpAF1LQM2I5fqpWBMhIh25uFUFwCEcRtnWHvA /YH7NosYnu7QKF0O8qZvqJPKymk+jjJS93ZFiZsI5lFV+wbN0HnseTldtvpZFi8U bjl9b7CdE5DrI8JHrrI3j0MyteYTwxn2HhSU5+yldSBJ+AddYI6kvNykxF11BNRv P7qGtW7MYgqhmOOi2/QdPGvbriIvTUFMKeJOLl3Oa0GZReoF3GUug7MKoK+eEiY2 0iG4G+E9wSfrYim3zjZa =14xY -----END PGP SIGNATURE-----
Current thread:
- CVE request: Ganglia-web auth bypass Ivan Novikov (Sep 04)
- Re: CVE request: Ganglia-web auth bypass cve-assign (Sep 05)
- Re: CVE request: Ganglia-web auth bypass Raphael Geissert (Sep 07)