SecurityvulnsSECURITYVULNS:DOC:849I-gear 3.5.x for Microsoft Proxy logging vulnerability + temporary fix.
Hello everyone,
this message is generated after several hours with Symantec Tech support
and my personal research of the issue. The issue is confirmed to be a
problem by Symantec® .
Platform: I-gear 3.5.6 (and 3.5.7-x) for MSP Proxy 2.0 ; Windows NT 4.0 SP6;
MSP 2.0 SP1; PowerEdge 2300 dual 450; 512 RAM.
Issue:
"Unidentified (web pages that do not comply to a certain standard)" web page
hits access generates an invalid entry in I-gear log files. Usually the
entry is over 255 char (ballpark number for a valid url log entry). After
entry is made you can no longer generate report about your users activity or
reports are not complete.
Vulnerability: Users can generate invalid log entries causing inability to
view access reports.
Solution:
Symantec is working on a new release of software that will solve the
problem(according to Tech Support). Meanwhile I had to come with my own fix.
I repeat – this fix worked for my environment – AND I’M NOT RESPONSIBLE FOR
ANY DAMAGE/DATA LOSS THIS SOLUTION MIGHT CAUSE YOU. This is not a 100% fix,
and you can not run it on you current log file (since it is being used by
I-gear).
-
download Linux utility rewritten for windows called grep ( I used Tim
Charron’s (http://www.interlog.com/~tcharron/grep.html)
2. make this batch file (fixlog.cmd):
grep -v -E .{300,} %1 > templog
move /y templog %1
-
run batch file (fixlog urlog20001009) -
This will remove any log entries larger then 300 char. -
Generate reports you have been missing so much.
Dmitry Andrievsky <[email protected]>
Networks & Systems Administrator
Quincy Public Schools, District #172