LogAnalyzer version 3.6.0 suffers from a cross site scripting vulnerability.
f890d7408490ef8e73e0a6ba7b407973a7e773f86abfa93c95a1a275450e27dbProduct: LogAnalyzer
Version: 3.6.0
Vendor: www.adiscon.com
Vulnerability type: Cross Site Scripting
Risk level: Low
Vendor notification: 2012-12-15
Patch Release: 2012-12-19
Public disclosure: 2012-12-20
Author: Mohd Izhar Bin Ali aka johncrackernet
Website: http://johncrackernet.blogspot.com
Details:
A cross-site scripting vulnerability existed in the asktheoracle.php page. An attacker could use it to execute arbitrary HTML and Script code by using the oracle_query parameter.
Proof of Concept:
The 'oracle_query' parameter didn't sanitize properly for asktheoracle.php page.
http://192.168.1.10/loganalyzer-3.6.0/asktheoracle.php?type=searchstr&oracle_query=<script>alert("XSS")<script>
Solutions:
Upgrade to the latest version of Log Analyzer 3.6.1
Reference:
http://loganalyzer.adiscon.com/security-advisories/loganalyzer-cross-site-scripting-vulnerability-in-oracle_query-paramater
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed