perfsonar-announce - JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
Subject: perfSONAR Announcements
List archive
- From: Jason Zurawski <>
- To: perfsonar-announce <>, "" <>
- Cc: "" <>
- Subject: JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
- Date: Mon, 14 Jul 2014 08:03:09 -0600
Greetings;
JOWPING, a java client for the OWAMP measurement tool, has been found to be
vulnerable to a form of cross site scripting involving manipulation of HTTP
headers. Our analysis has found that chance of exploit is remote (e.g.
cannot be done with simple URL manipulation or Javascript), but warrants
action by toolkit deployers. We are suggesting that sites with concerns
remove JOWPING from their servers using the following command:
> sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/
This will result in a broken link on the left sidebar, but removes the
software and the risk. A future update to the 3.3.x series of the pS
Performance Toolkit will remove JOWPING completely, and this tool was already
earmarked to not be present on the upcoming 3.4 release due to lack of a
maintainer.
The development team would like to thank John Parker from NOAA, who found
this vulnerability through routine use of the skipfish tool
(http://code.google.com/p/skipfish). Feel free to relay any questions or
concerns you have to the developers.
Thanks;
The perfSONAR Development Team
- JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x, Jason Zurawski, 07/14/2014
- Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x, Aaron Brown, 07/14/2014
Archive powered by MHonArc 2.6.16.