Summary
This host is running Adiscon LogAnalyzer and is prone to multiple SQL injection and cross site scripting vulnerabilities.
Impact
Successful exploitation will allow remote attackers to steal cookie based authentication credentials, compromise the application, access or modify data or exploit latent vulnerabilities in the underlying database.
Impact Level: Application
Solution
Upgrade to Adiscon LogAnalyzer version 3.4.3 or later, For updates refer to http://loganalyzer.adiscon.com/
Insight
Multiple flaws are due to
- Input passed via the 'filter' parameter to index.php, the 'id' parameter to admin/reports.php and admin/searches.php is not properly sanitised before being returned to the user.
- Input passed via the 'Columns[]' parameter to admin/views.php is not properly sanitised before being used in SQL queries.
Affected
Adiscon LogAnalyzer version 3.4.2 and prior
References
Severity
Classification
-
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Acute Control Panel SQL Injection Vulnerability and Remote File Include Vulnerability
- AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
- ASP Inline Corporate Calendar SQL injection
- Avenger's News System Command Execution
- 3Com OfficeConnect VPN Firewall Default Password Security Bypass Vulnerability