Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
- From: Aaron Brown <>
- To: perfsonar-announce <>, "" <>
- Cc: "" <>
- Subject: Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
- Date: Mon, 14 Jul 2014 19:44:29 +0000
- Accept-language: en-US
We’ve released an updated version of the Toolkit that removes the JOWPing
NetInstall Users: Perform a “yum update”, and then restart the machine
LiveCD Users: We won’t be releasing an updated LiveCD yet, and so recommend
following the workaround listed below.
On Jul 14, 2014, at 10:03 AM, Jason Zurawski
> JOWPING, a java client for the OWAMP measurement tool, has been found to be
> vulnerable to a form of cross site scripting involving manipulation of HTTP
> headers. Our analysis has found that chance of exploit is remote (e.g.
> action by toolkit deployers. We are suggesting that sites with concerns
> remove JOWPING from their servers using the following command:
>> sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/
> This will result in a broken link on the left sidebar, but removes the
> software and the risk. A future update to the 3.3.x series of the pS
> Performance Toolkit will remove JOWPING completely, and this tool was
> already earmarked to not be present on the upcoming 3.4 release due to lack
> of a maintainer.
> The development team would like to thank John Parker from NOAA, who found
> this vulnerability through routine use of the skipfish tool
> (http://code.google.com/p/skipfish). Feel free to relay any questions or
> concerns you have to the developers.
> The perfSONAR Development Team
- JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x, Jason Zurawski, 07/14/2014
- Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x, Aaron Brown, 07/14/2014
Archive powered by MHonArc 2.6.16.