Home page logo

bugtraq logo Bugtraq mailing list archives

Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer
From: Audun Larsen <larsen () xqus com>
Date: 20 Aug 2004 19:25:29 -0000

          Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer
Author:         Audun Larsen (larsen at xqus dot com)
Date:           Aug 20, 2004

Affected software:
Name:           Nihuo Web Log Analyzer
URL:            http://www.loganalyzer.net/index.html
Version:        v1.6 (older versions not tested)
Released:       Feb 17, 2004

Vendors description:
Nihuo Web Log Analyzer can generate a wide range of reports and statistics from your log file - more than 80 different 
reports with 2D and 3D graphs.

Most developers know that input validation is important. If you look at the history of PHP-nuke you can see that 
software that does not check the user
input thoroughly, is insecure.

Many think that http access-log analyzers don't get any input from the user.
But think about it, both the user-agent and the referer header is data that can be manipulated by the user.
Nihuo Web Log Analyzer is vulnerable to just this type of attack.

To exploit Nihuo Web Log Analyzer we have to send a special HTTP request that includes malicious code.

GET / HTTP/1.1
Host: sample.com
Connection: close
Accept: text/plain
Accept-Language: en-us,en
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
User-Agent: Some-Fake-UA <img src='http://attacker.host.com/app.gif&apos;>

Generating this HTTP request can easily be done in Perl, PHP or any other language. Generating enough hits with this 
user-agent will cause the user-agent to appear in the "Top Browsers" list, with the HTML code
included. Notice that single quotes is used in the User-Agent.

Tested with:
Apache 1.3.x
Nihuo Web Log Analyzer v1.6 (Running on Win2k)

No solution available at the time writing.
Vendor notified Aug 20, 2004.

The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Copyright © 2004 Audun Larsen

  By Date           By Thread  

Current thread:
  • Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer Audun Larsen (Aug 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]