| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 02 Sep 2014 19:10:25 +0000
From: "Dolev Farhi" <dolevf@...oo.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Syslog LogAnalyzer persistent XSS injection CVE-2014-6070
Author: Dolev Farhi @dolevff
Application: LogAnalyzer
Date: 8.2.2014
Tested on: Red Hat Enterprise Linux 6.4
Relevant CVEs: CVE-2014-6070
1. About the application
------------------------
LogAnalyzer is a web interface to syslog and other network event data.
It provides easy browsing, analysis of realtime network events and
reporting services.
2. Vulnerabilities Descriptions:
-----------------------------
It was found that an XSS injection is possible on a syslog server
running LogAnalyzer version 3.6.5.
by changing the hostname of any entity logging to syslog server with
LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary
syslog message, a client-side script injection execution is possible.
3. Life cycle
--------------------
8.2.2014 - Vulnerability identified
9.2.2014 - CVE Requested
9.2.2014 - CVE Assigned
9.2.2014 - Vendor releases a fix in a minor release version 3.6.6.
4. proof of concept
-----------------------
a proof of concept video and a working exploit can be found here:
http://research.openflare.org/poc/OF-2014-16/
5. Recommendation
--------------------------
upgrade to LogAnalyzer 3.6.6
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists