mailing list archives
From: Hugo "Vázquez" "Caramés" <overclocking_a_la_abuela () hotmail com>
Date: 6 Mar 2003 12:35:23 -0000
We would like to clarify some points on our previous post about Inverse
Lookup Log Corruption.
"ILLC" has nothing to do with CERT advisory "CA-2000-02"
(http://www.cert.org/advisories/CA-2000-02.html). With our technique an
attacker can spoof the IP on web server logs...(completely on Iplanet and
partially on Apache). Moreover an attacker can also hide requests on the
Iplanet log analyzer (with the "format=" prefix on it's hostname)...
This allowed us to show 7 new different bugs:
-Partial log IP spoofing on Apache (ILLC)
-Full IP spoofing on Iplanet (ILLC)
-Full hiding requests on Iplanet (ILLC)
-XSS on Iplanet Log Analyzer (ILLC)
-XSS on WebTrends (XSS in HostName)
-XSS on Surfstats (XSS in HostName)
-XSS on Webexpert (XSS in HostName)
While playing around with log analyzers, we also found other 2 XSS bugs
(these ones exploiting CERT advisory "CA-2000-02" )
-XSS on LoganPro (XSS in UserAgent)
-XSS on Webexpert (XSS in UserAgent)
Hugo VÃ¡zquez CaramÃ©s & Toni CortÃ©s MartÃnez
Infohacking Research 2001-2003