NTA Monitor

Latest News

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

The Return of the Insider Threat

1st July 2009 When NTA started security testing twelve years ago, the main focus was on the insider threat. There were many reports with statistics showing that most security breaches were due to insiders. By contrast there was very little focus on the external threat via Internet and third-party network links. Back then many companies did not even have a firewall. Read More

Sawmill Cross Site Scripting (XSS) Vulnerability

Overview

NTA Monitor has discovered a cross site scripting (XSS) vulnerability in the Flowerfire Sawmill log analysis tool while performing a RM vulnerability test for a customer.

The web administration page for the Sawmil log analysis software is vulnerable to an XSS attack. The attacker does not need to be authenticated to perform this attack.

Vulnerability Details

Sawmill's built in webserver assumes that any query string appended to a GET request is a configuration command. This query string is not validated correctly for HTML tags so an attacker can use <script< tags to alter the output that is displayed to the browser. Possible attacks are varied, and can include creating a false login page to capture authentication details.

Example

The simple example below demonstrates the vulnerability. If the following GET request is sent to the webserver listening on the default port of 8987:

	http://host:8987/?&lt;script&gt;alert('vulnerable to XSS');&lt;/script&gt;

The result of this is shown in the this screenshot:

Affected Versions

Version 7.1.13 is affected by this vulnerability, possibly older version 7 versions also are affected. The previous version 6.5.11 is not affected by this issue. At this time the windows and source code versions have been tested.

Solution

Upgrade to version 7.1.14 or newer.

Timeline

The vulnerability was first discovered on 22nd August 2005.
The vulnerability was reported to Flowerfire on 25th August 2005.
New version released on 8th September 2005.

This advisory was first released on 8th September 2005.