Several vulnerabilities were discovered and brought to our attention by Filippo Cavallarin. We thank him for giving us the chance to fix these issues before releasing information into the public. More details about the vulnerabilities can be found in this security advisory.
Affected Stable Versions:
Stable branch up to v3.4.2 (inclusive)
Beta branch up to v3.5.3 (inclusive)
The admin/view.php script could be exploited by a non-admin user to insert arbitrary data into logon_views table. This was possible due the unchecked POST variable "Columns". When updating a view, it was also possible to overwrite data using UPDATE statements.
The UserDB system has to be installed in order to exploit this bug. The user must have a valid username and password to login into the LogAnalyzer UserDB. The User could have disclosed md5 password hashes from the logcon_users table.
Arbitrary File Read
LogAnalyzer allows non-admin users (with write access) to create a user diskfile source. The "syslog file" parameter could be any file, even configuration files. The config.php file does now contain an array "DiskAllowed" which contains all allowed directories. Only files located within these allowed directories can be accessed in LogAnalyzer. By default, only /var/log is allowed.
Loganalyzers "config.php" was disclosed by this behaviour.
Cross Site Scripting
The following scripts did contain Cross site scripting vulnerabilities: index.php, admin/reports.php and admin/searches.php. Some input parameters were not properly checked against script tags.
An attacker could use prepared links to include and run scripts within the context of Loganalyzer on the users browser.
We want to thank Filippo Cavallarin from CodSeq for identifying these issues and working with us in resolving it. More details can be found in his advisory