lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201407221118.s6MBIY40018890@sf01web3.securityfocus.com>
Date: Tue, 22 Jul 2014 11:18:34 GMT
From: audit1@...ecure.com
To: bugtraq@...urityfocus.com
Subject: Cross-site Scripting in EventLog Analyzer 9.0 build #9000

We discovered a vulnerability in the EventLog Analyzer web application.

Vulnerability Type: Cross-site Scripting

Original Release: June 20, 2014

Discovered by: 
	Security Team - A2SECURE
	Artėm Tsvetkov	atsvetkov@...ecure.com 
	Sisco Barrera	sbarrera@...ecure.com 
	Andrea Bodei	abodei@...ecure.com 	

Products and affected versions:
	MANAGEENGINE EVENTLOG ANALYZER 9.0 build #9000

Company: A2SECURE - Espańa
A2Secure Website: http://www.a2secure.com
Vendor Website: http://www.manageengine.com 
Application Website: http://www.manageengine.com/products/eventlog/ 



===========================
Background
===========================

EventLog Analyzer is a Security Information and Event Management (SIEM) software. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to mitigate file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more.



===========================
Vulnerability Details
===========================

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. 

EventLog Analyzer should correctly filter input data using a whitelist of allowed characters, encoding, or a similar technique. 
 

===========================
Proof of Concept
===========================

The login username parameter is vulnerable to Cross-site Scripting

Domain: 	https://localhost:8500
Method:		POST
Path:		/event/j_security_check
Parameter: 	j_username
Payload:	"><script>alert(1);</script>



===========================
Credits / Author
===========================

Artėm Tsvetkov
www.a2secure.com 



===========================
Disclaimer
===========================

All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any direct or indirect damages that might be caused by using this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ