perfsonar-announce - Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
Subject: perfSONAR Announcements
List archive
Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
Chronological Thread
- From: Aaron Brown <>
- To: perfsonar-announce <>, "" <>
- Cc: "" <>
- Subject: Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x
- Date: Mon, 14 Jul 2014 19:44:29 +0000
- Accept-language: en-US
Hi Folks,
We’ve released an updated version of the Toolkit that removes the JOWPing
component.
NetInstall Users: Perform a “yum update”, and then restart the machine
afterwards.
LiveCD Users: We won’t be releasing an updated LiveCD yet, and so recommend
following the workaround listed below.
Cheers,
Aaron
On Jul 14, 2014, at 10:03 AM, Jason Zurawski
<>
wrote:
> Greetings;
>
> JOWPING, a java client for the OWAMP measurement tool, has been found to be
> vulnerable to a form of cross site scripting involving manipulation of HTTP
> headers. Our analysis has found that chance of exploit is remote (e.g.
> cannot be done with simple URL manipulation or Javascript), but warrants
> action by toolkit deployers. We are suggesting that sites with concerns
> remove JOWPING from their servers using the following command:
>
>> sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/
>
> This will result in a broken link on the left sidebar, but removes the
> software and the risk. A future update to the 3.3.x series of the pS
> Performance Toolkit will remove JOWPING completely, and this tool was
> already earmarked to not be present on the upcoming 3.4 release due to lack
> of a maintainer.
>
> The development team would like to thank John Parker from NOAA, who found
> this vulnerability through routine use of the skipfish tool
> (http://code.google.com/p/skipfish). Feel free to relay any questions or
> concerns you have to the developers.
>
> Thanks;
>
> The perfSONAR Development Team
- JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x, Jason Zurawski, 07/14/2014
- Re: [perfSONAR-developer] JOWPING Cross Site Scripting Risk for pS Performance Toolkit 3.3.x, Aaron Brown, 07/14/2014
Archive powered by MHonArc 2.6.16.