##############################################################################
#
# Title : Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability
# Author : Sooraj K.S SecPod Technologies (www.secpod.com)
# Vendor : http://loganalyzer.adiscon.com/
# Advisory : http://secpod.org/blog/?p=504
# : http://secpod.org/advisories/SecPod_LogAnalyzer_XSS_Vuln.txt
# Software : LogAnalyzer 3.4.3
# Date : 30/05/2012
#
###############################################################################
SecPod ID: 1041 30/05/2012 Issue Discovered
19/06/2012 Vendor Notified
19/06/2012 Vendor Acknowledge
20/06/2012 Issue Resolved
Class: Cross-Site Scripting Severity: Medium
Overview:
---------
Adiscon LogAnalyzer is prone to cross-site scripting vulnerability.
Technical Description:
----------------------
Adiscon LogAnalyzer is prone to a cross-site scripting vulnerability because
it fails to properly sanitize user-supplied input.
Input passed via the 'highlight' parameter in index.php is not properly
verified before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the context of
a vulnerable site. This may allow an attacker to steal cookie-based
authentication credentials and to launch other attacks.
The vulnerability has been tested in LogAnalyzer 3.4.3. Other versions may
also be affected.
Impact:
--------
Successful exploitation allows an attacker to execute arbitrary HTML and script
code in a user's browser session in the context of a vulnerable site.
Affected Software:
------------------
LogAnalyzer 3.4.3 and prior.
Reference:
---------
http://secpod.org/blog/?p=504
http://loganalyzer.adiscon.com
http://secpod.org/advisories/SecPod_LogAnalyzer_XSS_Vuln.txt
http://loganalyzer.adiscon.com/downloads/loganalyzer-3-4-4-v3-stable
http://loganalyzer.adiscon.com/downloads/loganalyzer-v3-5-5-v3-beta
http://loganalyzer.adiscon.com/security-advisories/loganalyzer-cross-site-scripting-vulnerability-in-highlight-parameter
Proof of Concept:
-----------------
http://www.example.com/?search=Search&highlight="<script>alert(document.cookie)</script>
Solution:
----------
Update LogAnalyzer to version 3.4.4 or higher.
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = NONE
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Credits:
--------
Sooraj K.S of SecPod Technologies has been credited with the discovery of this
vulnerability.