perfSONAR User Q&A and Other Discussion

[Jason Zurawski <>]

Greetings;

JOWPING, a java client for the OWAMP measurement tool, has been found to be 
vulnerable to a form of cross site scripting involving manipulation of HTTP 
headers.  Our analysis has found that chance of exploit is remote (e.g. 
cannot be done with simple URL manipulation or Javascript), but warrants 
action by toolkit deployers.  We are suggesting that sites with concerns 
remove JOWPING from their servers using the following command:

> sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/ 

This will result in a broken link on the left sidebar, but removes the 
software and the risk.  A future update to the 3.3.x series of the pS 
Performance Toolkit will remove JOWPING completely, and this tool was already 
earmarked to not be present on the upcoming 3.4 release due to lack of a 
maintainer.  

The development team would like to thank John Parker from NOAA, who found 
this vulnerability through routine use of the skipfish tool 
(http://code.google.com/p/skipfish).  Feel free to relay any questions or 
concerns you have to the developers.  

Thanks;

The perfSONAR Development Team