SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sawmill Vendors:   Flowerfire
Sawmill Lets Remote Authenticated Users Gain Elevated Privileges and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014106
SecurityTracker URL:  http://securitytracker.com/id/1014106
CVE Reference:   CVE-2005-1900, CVE-2005-1901   (Links to External Site)
Updated:  Nov 2 2008
Original Entry Date:  Jun 6 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.1.5 and prior versions
Description:   Juha-Matti Laurio reported several vulnerabilities in Sawmill. A remote authenticated user can gain administrative access to the application. A remote user can conduct cross-site scripting attacks.

A remote authenticated user can bypass an authentication check to gain administrative access to the application.

The 'Add User' and 'Licensing' fields are not properly validated. A remote user can submit specially crafted input to cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Sawmill software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can add a license.

Impact:   A remote authenticated user gain administrative privileges on the target application.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Sawmill software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can add a license.

Solution:   The vendor has released a fixed version (7.1.6 and later).
Vendor URL:  www.sawmill.net/ (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [NEW VERSION] Sawmill Unauthorized Administrative Access and


Networksecurity.fi Security Advisory (06-06-2005)

Title: Sawmill unauthorized administrative access and Cross-site 
Scripting vulnerabilities
Criticality: High (3/3)
Affected software: Flowerfire Sawmill versions 7.x and 6.x
Vendor home page: http://www.sawmill.co.uk/
Author: Juha-Matti Laurio info [at] networksecurity.fi, 
juha-matti.laurio [at] netti.fi
Date: 6th June, 2005
Advisory ID: N/A (#7)
Location URL: 
http://www.networksecurity.fi/advisories/sawmill-admin.html (HTML)
CVE reference: N/A 


- Overview:
Several new remote and local type vulnerabilities has been identified in 
Flowerfire Sawmill log analyzer application, which can enable Cross-site 
Scripting attacks and cause a disclosure of sensitive information.

>From the vendor:
"Sawmill is a powerful, hierarchical log analysis tool that runs on 
every major platform. It is particularly well suited to web server logs, 
but can process almost any log."
It is widely used at several big IT companies, Web hosting companies, 
banks, US universities etc. It is commonly run as a CGI program.

Additional information from the vendor:
Version 7.1.x adds support for Windows 2003 DNS, Web Washer, Kaspersky 
Labs for Mail Servers, Symantec Mail Security, Windows NT Scheduler and 
some Cisco products etc.
The following categories of log type are covered:
Web Servers, Syslog Servers, Proxy Servers, Mail Servers, Media Servers, 
FTP Servers, Internet Devices, Network Devices, Firewalls, Applications 
and Other Formats.
Sawmill supports about 600 log formats.

Details:
There are several design error and input validation error type 
vulnerabilities in Sawmill. Both non-administrative and administrative 
features related to license, license key and user name handling are 
affected. Another common-type administrative access issue is also 
included in the affected versions.
Sawmill's administrative interface can be accessed by a web browser.
Versions Sawmill 7.1.5 and prior, and versions 6.x are affected.

- Description:

Vulnerability #1:

A remote attacker with non-administrative privileges may gain an 
administrative access to the vulnerable log analyzer application.
This is a remote and local type vulnerability.
This is an authentication bypass type issue as well.

Impact:
This can cause a disclosure of sensitive database, system and user 
information. This information is mainly purposed to administrative 
persons only. This issue can cause data loss too.
Program functionality was changed to prevent future issues mentioned in 
a fixed software version, by releasing a new version.

This can be exploited by a malicious user to gain sensitive information.


Vulnerability #2:

A remote attacker with no user privileges in use may add a license to 
the vulnerable system.
Like vulnerability #1, this is a remote and local type vulnerability.
Additionally, this is an authentication bypass type issue.

Impact:
This can lead to an unauthorized access to the system.
According to the vendor Web page, using Sawmill application without 
working license code is not possible.

This can be exploited by a malicious user to gain access to the system 
via 'Licensing' feature on the application's 'Administrative' menu.


Vulnerability #3:

An user with administrative privileges may execute a cross-site 
scripting (XSS) attack by entering a specially formatted user name in 
the application's 'Add User' window.
No further detailed information is currently available.

Impact:
This can cause a malicious code being executed in the system.


Vulnerability #4:

An user with administrative privileges may execute a cross-site 
scripting (XSS) attack by entering a specially formatted license key in 
the application's 'Licensing' page.

Impact:
This can cause a malicious code being executed in the system.


Additionally, several separate non-security issues in version release 
mentioned was also fixed. As reported, those updates are being included 
in the version release 7.1.7 too.

The previous security vulnerability related to Sawmill software was 
handled by security companies in February, 2002.

- Solution status:
Fixed (Vendor patch)

Affected product versions:
Flowerfire Sawmill 7.1.5 and prior
Flowerfire Sawmill 6.x

The vulnerabilities has been confirmed in version 7.1.5. Other previous 
versions may also be affected as well.

NOTE: Version 7.1.7 was released just one day after version 7.1.6 release.
Non-affected software versions:
Sawmill 7.1.7
Sawmill 7.1.6

Examples of the affected versions:
Sawmill 7.1.5
Sawmill 7.1.4
Sawmill 7.1.3
Sawmill 7.1.2
Sawmill 7.1.1b
Sawmill 7.1.1
Sawmill 7.1
Sawmill 7.0.10
Sawmill 7.0.9
Sawmill 6.5.11
Sawmill 6.5.5

Product was formerly known as Chartreuse Cartouche.

Users are urged to contact the vendor for information on obtaining an 
updated version (see References).

Vendor confirmed issues: Yes
Exploit included: No

Affected components: N/A
Affected component versions: N/A

OS:
Microsoft Windows (95/98/ME/NT4/2000/XP/2003)
Linux
Mac OS X
FreeBSD
OpenBSD
NetBSD
Sun Solaris
IBM AIX
HP/UX
OS/2
BeOS

Solution:
Update to version 7.1.6 or newer by contacting vendor.

- Workarounds:
No valuable workarounds available when writing this report.

Vulnerability information was announced by the vendor, and an issue is 
analyzed and written to a report by the researcher. Situation of working 
workarounds was added by the researcher.
This vulnerability information was provided to security companies and 
CERT units to help them to update their product databases to cover 
product versions handled in this report too.

References:
"Sawmill version history":
http://www.sawmill.net/version_history7.html
"Sawmill - Non-European Contact Details / European Contact Details":
http://www.thesawmill.co.uk/support.html

Additional references:
Pruduct homepage: "Sawmill: log analyzer; log file analysis; log 
analysis program":
http://www.sawmill.net/features.html

Timeline:
05-06-2005 Vulnerability researched
05-06-2005 Security companies and several CERT units contacted
06-06-2005 Advisory published
06-06-2005 Link to advisory sent to security companies and several CERT units

Revision history:
06-06-2005 1.0: Researcher's advisory published


Best regards,
Juha-Matti Laurio
IT security researcher
Finland
http://www.networksecurity.fi
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC