Full Disclosure mailing list archives
Syslog LogAnalyzer persistent XSS injection CVE-2014-6070
From: "Dolev Farhi" <dolevf () yahoo com>
Date: Tue, 02 Sep 2014 19:10:25 +0000
Author: Dolev Farhi @dolevff Application: LogAnalyzer Date: 8.2.2014 Tested on: Red Hat Enterprise Linux 6.4 Relevant CVEs: CVE-2014-6070 1. About the application ------------------------LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.
2. Vulnerabilities Descriptions: -----------------------------It was found that an XSS injection is possible on a syslog server running LogAnalyzer version 3.6.5. by changing the hostname of any entity logging to syslog server with LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary
syslog message, a client-side script injection execution is possible. 3. Life cycle -------------------- 8.2.2014 - Vulnerability identified 9.2.2014 - CVE Requested 9.2.2014 - CVE Assigned 9.2.2014 - Vendor releases a fix in a minor release version 3.6.6. 4. proof of concept ----------------------- a proof of concept video and a working exploit can be found here: http://research.openflare.org/poc/OF-2014-16/ 5. Recommendation -------------------------- upgrade to LogAnalyzer 3.6.6 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Syslog LogAnalyzer persistent XSS injection CVE-2014-6070 Dolev Farhi (Sep 02)