Skip to Content.
Sympa Menu

perfsonar-announce - Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x

Subject: perfSONAR Announcements

List archive

Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x


Chronological Thread 
  • From: Aaron Brown <>
  • To: perfsonar-announce <>, "" <>
  • Cc: "" <>
  • Subject: Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
  • Date: Mon, 14 Jul 2014 19:44:29 +0000
  • Accept-language: en-US

Hi Folks,

We’ve released an updated version of the Toolkit that removes the JOWPing
component.

NetInstall Users: Perform a “yum update”, and then restart the machine
afterwards.

LiveCD Users: We won’t be releasing an updated LiveCD yet, and so recommend
following the workaround listed below.

Cheers,
Aaron

On Jul 14, 2014, at 10:03 AM, Jason Zurawski
<>
wrote:

> Greetings;
>
> JOWPING, a java client for the OWAMP measurement tool, has been found to be
> vulnerable to a form of cross site scripting involving manipulation of HTTP
> headers. Our analysis has found that chance of exploit is remote (e.g.
> cannot be done with simple URL manipulation or Javascript), but warrants
> action by toolkit deployers. We are suggesting that sites with concerns
> remove JOWPING from their servers using the following command:
>
>> sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/
>
> This will result in a broken link on the left sidebar, but removes the
> software and the risk. A future update to the 3.3.x series of the pS
> Performance Toolkit will remove JOWPING completely, and this tool was
> already earmarked to not be present on the upcoming 3.4 release due to lack
> of a maintainer.
>
> The development team would like to thank John Parker from NOAA, who found
> this vulnerability through routine use of the skipfish tool
> (http://code.google.com/p/skipfish). Feel free to relay any questions or
> concerns you have to the developers.
>
> Thanks;
>
> The perfSONAR Development Team




Archive powered by MHonArc 2.6.16.

Top of Page