SecurityTracker.com Archives - Analog Web Log File Analysis Tool Allows Cross-Site Scripting Attacks

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Generic) > Analog

Vendors: Turner, Stephen

Analog Web Log File Analysis Tool Allows Cross-Site Scripting Attacks

Date: Mar 28 2002

Impact: Disclosure of authentication information, Execution of arbitrary code via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): prior to 5.22

Description: A vulnerability was reported in 'analog', a log file analysis tool. A remote user can conduct cross-site scripting attacks against analog users.

A remote user can reportedly insert arbitrary strings into any web server logfile so that, when those strings are subsequently analyzed by analog, the strings will appear in the web-based analog report. This allows a remote user to inject arbitrary Javascript code into an analog report. When the report is read by the target (victim) user, the code will be executed by the target user's browser. The code will appear to originate from the site running analog and will run in the security context of that site. As a result, the code can access the target user's cookies and other data associated with the site running analog.

Yuji Takahashi reportedly discovered the bug.

Impact: A remote user can cause arbitrary javascript to be executed on another user's browser to steal the other user's cookies associated with a site running analog.

Solution: The vendor has released a fixed version (5.22), available at:

http://www.analog.cx/download.html

Vendor URL: www.analog.cx/security4.html (Links to External Site)

Cause: Input validation error

Underlying OS: BeOS, Linux (Any), MacOS, MPE/iX (HP), OpenVMS, UNIX (Any), Windows (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Mar 28 2002

(Debian Issues Fix) Analog Web Log File Analysis Tool Allows Cross-Site Scripting Attacks (joey@infodrom.org (Martin Schulze))
The vendor has released a fix.

Source Message Contents

Date: Thu, 28 Mar 2002 13:30:10 -0500
Subject: Analog: Security warning

 

Analog: Security warning

SECURITY ADVISORY                                      20th March 2002
----------------------------------------------------------------------
Program: analog
Versions: all versions prior to 5.22
Operating systems: all
----------------------------------------------------------------------
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack.

It is easy for an attacker to insert arbitrary strings into any web
server logfile. If these strings are then analysed by analog, they can
appear in the report. By this means an attacker can introduce
arbitrary Javascript code, for example, into an analog report produced
by someone else and read by a third person. Analog already attempted
to encode unsafe characters to avoid this type of attack, but the
conversion was incomplete.

Although it is not known that this bug has been exploited, it is easy
to exploit, and all users are advised to upgrade to version 5.22 of
analog immediately. The URL for analog is http://www.analog.cx/
I apologise for the inconvenience.

Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki
for their help with this bug.

                                                        Stephen Turner
                                         analog-author@lists.isite.net

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC