Advisory ID: CSA-12005 Title: Multiple vulnerabilities in LogAnalyzer Product: LogAnalyzer Version: 3.4.2 and probably prior Vendor: adiscon.com Vulnerability type: SQL injection, XSS, Arbitrary File Read Risk level: 2 / 3 Credit: www.codseq.it CVE: Vendor notification: 2012-05-21 Public disclosure: 2012-05-23 Details LogAnalyzer version 3.4.2 and probably below suffers from multiple vulnerabilities: - SQL Injection 1) The script admin/views.php contains a SQL-Injection vulnerability when used to create a new view. It can be exploited by a non-admin user (with write access) to insert arbitrary data into logcon_views table. The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query. This PoC creates an arbitrary record into logcon_views table.
2) The script admin/views.php contains a SQL-Injection vulnerability when used to update a view. It can be exploited by a non-admin user (with write access) to obtain arbitrary database data. The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query. This PoC updates a view and sets the admin password (md5) as the view name
- Arbitrary File Read LogAnalyzer allows non-admin users (with write access) to create a diskfile source with an arbitrary value as "syslog file" parameter. By setting this parameter to "config.php", the configuration file is disclosed when the source is loaded. - Cross Site Scripting 1) The input passed via the "filter" parameter to index.php is not properly sanitised before being returned to the user. http://127.0.0.1/loganalyzer-3.4.2/index.php?filter=%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3E 2) The input passed via the "id" parameter to admin/reports.php is not properly sanitised before being returned to the user. http://127.0.0.1/loganalyzer-3.4.2/admin/reports.php?op=details&id=eventsummary%3Cscript%3Ealert(1)%3C/script%3E 3) The input passed via the "id" parameter to admin/searches.php is not properly sanitised before being returned to the user. http://127.0.0.1/loganalyzer-3.4.2/admin/searches.php?op=edit&id=7%3Cscript%3Ealert(1)%3C/script%3E Solution upgrade to LogAnalyzer 3.4.3 Filippo Cavallarin C o d S e q Development with an eye on security ------------------------------------------------------------------------ Castello 2005, 30122 Venezia Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254 c.f. CVLFPP82B27L736J - p.iva 03737650279 http://www.codseq.it - filippo.cavallarin@codseq.it