We have just released LogAnalyzer 3.5.4, the new release of the beta branch. It has the following changes:
- Merged security fixes into beta branch:
- Fixed several security vulnerabilities discovered by Filippo Cavallarin.
This contains the following fixes:
- Fixed SQL Injection vulnerability in admin/view.php
- Fixed Cross Site scripting issue filter parameter on index.php
- Fixed Cross site scripting issue of id parameter on admin/reports.php
- Fixed Cross site scripting issue of id parameter on admin/searches.php
- Fixed arbitrary file read issue in Disk LogStream class. The config.php file does now contain an array "DiskAllowed" which contains allowed directories. Only files located within these allowed directories can be accessed in LogAnalyzer. By default, only /var/log is allowed.
As always, feedback is appreciated.