Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Software vulnerabilities

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Software vulnerabilities


Chronological Thread 
  • From: Andrew Lake <>
  • To: Darryl K Wohlt <>, "" <>, Darryl K Wohlt <>
  • Subject: Re: [perfsonar-user] Software vulnerabilities
  • Date: Tue, 28 Feb 2023 10:27:10 -0500

Hi Darryl,

In general you can send reports like this to  as opposed to the public user list to give us a chance to to take a look. 

For the “Cross Site Scripting” category, as far as I can tell it appears that output is properly escaped and sanitized so you can’t actually make the browser run anything. 

We’ll need some more time to look at the library versions and if there are any immediate concerns. They are indeed out-of-date. but need some time to look if there are any actual smoking guns given the way we are using things. Generally the JS stuff is more client-side as opposed to letting people do bad stuff to the server. Still not great as people can do phishing type attacks, etc. Again, will need to take a closer look to get an actual beat on the extent of these. 

Thanks for the report and we’ll keep you updated.

Thanks,
Andy




On February 28, 2023 at 10:06:14 AM, Darryl K Wohlt () wrote:

Hello,

 

Our PerfSONAR instances have been ticketed by our cybersecurity group for a number of vulnerabilities, and I'll need a little help to remediate.

 

To summarize these using psonar5.deemz.net (4.4.6-1.el7,  3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022 x86_64):

 

A. Cross Site Scripting (3 instances)

 

Proof URLs:

https://psonar5.deemz.net/esmond/perfsonar/archive/?format=json&measurement-agent=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x000004)%3C/scRipt%3E&pscheduler-http-url="134.79.235.226&pscheduler-test-type=http

 

https://psonar5.deemz.net/esmond/perfsonar/archive/?destination=134.79.235.226&source=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x000447)%3C/scRipt%3E

 

https://psonar5.deemz.net/esmond/perfsonar/archive/?format=json&measurement-agent=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x00088A)%3C/scRipt%3E&pscheduler-dns-query=198.49.208.18&pscheduler-test-type=dns

 

Vulnerability Details:

Invicti Enterprise detected Cross-site Scripting, which allows an attacker to execute a dynamic script (_javascript_, _vbscript_) in the context of the application.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/_javascript_/_vbscript_ by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.  

 

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:

               * Hijacking user's active session.

               * Mounting phishing attacks.

               * Intercepting data and performing man-in-the-middle attacks.

 

Remedy

The issue occurs because the browser interprets the input as active HTML, _javascript_ or _vbscript_. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a _javascript_ block within the HTML document, then output needs to be encoded accordingly.

 

B. Out-of-date Version (jQuery UI Autocomplete)

On https://psonar5.deemz.net/toolkit/js/jquery-ui/

 

Vulnerability Details

Invicti Enterprise identified the target web site is using jQuery UI Autocomplete and detected that it is out of date.

 

Identified Version 1.11.4

Overall latest version 1.13.0

 

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

 

Remedy

Please upgrade your installation of jQuery UI Autocomplete to the latest stable version.

 

C, Out-of-date Version (jQuery)

On https://psonar5.deemz.net/esmond/perfsonar/

 

Vulnerability Details

Invicti Enterprise identified the target web site is using jQuery and detected that it is out of date.

 

Identified Version 3.3.1

Overall latest version 3.6.0

 

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

 

Remedy

Please upgrade your installation of JQuery to the latest stable version.

 

D. Out-of-date Version (Bootstrap)

On psonar5.fnal.gov

 

Vulnerability Details

Invicti Enterprise identified the target web site is using Bootstrap and detected that it is out of date.

 

Identified Version 3.4.0

Latest Version 3.4.1 (in this branch)

Overall latest version 5.1.3

 

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

 

Remedy

Please upgrade your installation of Bootstrap to the latest stable version.

 

Thanks for any guidance,

Darryl

 

Darryl K. Wohlt

Senior Network Analyst

 

CCD/NCS/Network Services

Fermi National Accelerator Laboratory

P.O. Box 500, MS 368

Batavia, Illinois 60510

USA

 

630 840 2901 office

630 945 5687  mobile

www.fnal.gov

 

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user



Archive powered by MHonArc 2.6.24.

Top of Page