[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Syslog LogAnalyzer persistent XSS injection CVE-2014-6070
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Syslog LogAnalyzer persistent XSS injection CVE-2014-6070
- From: "Dolev Farhi" <dolevf@xxxxxxxxx>
- Date: Tue, 02 Sep 2014 19:10:25 +0000
Author: Dolev Farhi @dolevff
Application: LogAnalyzer
Date: 8.2.2014
Tested on: Red Hat Enterprise Linux 6.4
Relevant CVEs: CVE-2014-6070
1. About the application
------------------------
LogAnalyzer is a web interface to syslog and other network event data.
It provides easy browsing, analysis of realtime network events and
reporting services.
2. Vulnerabilities Descriptions:
-----------------------------
It was found that an XSS injection is possible on a syslog server
running LogAnalyzer version 3.6.5.
by changing the hostname of any entity logging to syslog server with
LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary
syslog message, a client-side script injection execution is possible.
3. Life cycle
--------------------
8.2.2014 - Vulnerability identified
9.2.2014 - CVE Requested
9.2.2014 - CVE Assigned
9.2.2014 - Vendor releases a fix in a minor release version 3.6.6.
4. proof of concept
-----------------------
a proof of concept video and a working exploit can be found here:
http://research.openflare.org/poc/OF-2014-16/
5. Recommendation
--------------------------
upgrade to LogAnalyzer 3.6.6
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/