Skip to Content.
Sympa Menu

perfsonar-announce - JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x

Subject: perfsonar-announce

List archive

JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x


Chronological Thread 
  • From: Jason Zurawski <>
  • To: perfsonar-announce <>, "" <>
  • Cc: "" <>
  • Subject: JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
  • Date: Mon, 14 Jul 2014 08:03:09 -0600

Greetings;

JOWPING, a java client for the OWAMP measurement tool, has been found to be
vulnerable to a form of cross site scripting involving manipulation of HTTP
headers. Our analysis has found that chance of exploit is remote (e.g.
cannot be done with simple URL manipulation or Javascript), but warrants
action by toolkit deployers. We are suggesting that sites with concerns
remove JOWPING from their servers using the following command:

> sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/

This will result in a broken link on the left sidebar, but removes the
software and the risk. A future update to the 3.3.x series of the pS
Performance Toolkit will remove JOWPING completely, and this tool was already
earmarked to not be present on the upcoming 3.4 release due to lack of a
maintainer.

The development team would like to thank John Parker from NOAA, who found
this vulnerability through routine use of the skipfish tool
(http://code.google.com/p/skipfish). Feel free to relay any questions or
concerns you have to the developers.

Thanks;

The perfSONAR Development Team


Archive powered by MHonArc 2.6.16.

Top of Page