SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Nihuo Web Log Analyzer Vendors:   Nihuo Software, Inc.
Nihuo Web Log Analyzer Lack of Input Validation in User-Agent and Referer Fields Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1011010
SecurityTracker URL:  http://securitytracker.com/id/1011010
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 21 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.6
Description:   An input validation vulnerability was reported in Nihuo Web Log Analyzer. A remote user can conduct cross-site scripting attacks.

Audun Larsen reported that the software does not properly validate user-supplied input in the HTTP user-agent and referer fields. A remote user can submit a specially crafted request to the web server being monitored by the Nihuo Web Log Analyzer. Then, when a target user views the log analyzer, arbitrary scripting code to be executed by the target user's browser. The code will be able to take actions on the applications (and possibly the local system) acting as the target user.

A demonstration exploit request is provided:

GET / HTTP/1.1
Host: sample.com
Connection: close
Accept: text/plain
Accept-Language: en-us,en
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
User-Agent: Some-Fake-UA <img src='http://attacker.host.com/app.gif'>

The vendor was reportedly notified on August 20, 2004.

Impact:   A remote user can take actions on the application (and possibly the local system) acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.loganalyzer.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer




---------------------------------------------------------------------------
          Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer
---------------------------------------------------------------------------
Author:		Audun Larsen (larsen at xqus dot com)
Date:		Aug 20, 2004


Affected software:
==================
Name:		Nihuo Web Log Analyzer
URL:		http://www.loganalyzer.net/index.html
Version:	v1.6 (older versions not tested)
Released:	Feb 17, 2004


Vendors description:
====================
Nihuo Web Log Analyzer can generate a wide range of reports and statistics from your log file - more than 80 different reports with
 2D and 3D graphs.


Introduction:
=============
Most developers know that input validation is important. If you look at the history of PHP-nuke you can see that software that does
 not check the user
input thoroughly, is insecure.


Discussion:
===========
Many think that http access-log analyzers don't get any input from the user.
But think about it, both the user-agent and the referer header is data that can be manipulated by the user.
Nihuo Web Log Analyzer is vulnerable to just this type of attack.


Exploit:
========
To exploit Nihuo Web Log Analyzer we have to send a special HTTP request that includes malicious code.

GET / HTTP/1.1
Host: sample.com
Connection: close
Accept: text/plain
Accept-Language: en-us,en
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
User-Agent: Some-Fake-UA <img src='http://attacker.host.com/app.gif'>

Generating this HTTP request can easily be done in Perl, PHP or any other language. Generating enough hits with this user-agent will
 cause the user-agent to appear in the "Top Browsers" list, with the HTML code
included. Notice that single quotes is used in the User-Agent.


Tested with:
============
Apache 1.3.x
Nihuo Web Log Analyzer v1.6 (Running on Win2k)


Solution:
=========
No solution available at the time writing.
Vendor notified Aug 20, 2004.


Disclaimer: 
===========
The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC