Home page logo

bugtraq logo Bugtraq mailing list archives

From: Hugo "Vázquez" "Caramés" <overclocking_a_la_abuela () hotmail com>
Date: 6 Mar 2003 12:35:23 -0000

We would like to clarify some points on our previous post about Inverse 
Lookup Log Corruption.

"ILLC" has nothing to do with CERT advisory "CA-2000-02" 
(http://www.cert.org/advisories/CA-2000-02.html). With our technique an 
attacker can  spoof the IP on web server logs...(completely on Iplanet and 
partially on Apache). Moreover an attacker can also hide requests on the 
Iplanet log analyzer (with the "format=" prefix on it's hostname)... 

This allowed us to show 7 new different bugs:

-Partial log IP spoofing on Apache (ILLC)
-Full IP spoofing on Iplanet (ILLC)
-Full hiding requests on Iplanet (ILLC)
-XSS on Iplanet Log Analyzer (ILLC)
-XSS on WebTrends (XSS in HostName)
-XSS on Surfstats (XSS in HostName)
-XSS on Webexpert (XSS in HostName)

While playing around with log analyzers, we also found other 2 XSS bugs 
(these ones exploiting CERT advisory "CA-2000-02" )

-XSS on LoganPro (XSS in UserAgent)
-XSS on Webexpert (XSS in UserAgent)


Hugo Vázquez Caramés & Toni Cortés Martínez
Infohacking Research 2001-2003

  By Date           By Thread  

Current thread:
  • ILLC Vázquez (Mar 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]