Sawmill Cross Site Scripting (XSS) Vulnerability
Overview
NTA Monitor has discovered a cross site scripting (XSS) vulnerability in the Flowerfire Sawmill log analysis tool while performing a RM vulnerability test for a customer.
The web administration page for the Sawmil log analysis software is vulnerable to an XSS attack. The attacker does not need to be authenticated to perform this attack.
Vulnerability Details
Sawmill's built in webserver assumes that any query string appended to a GET request is a configuration command. This query string is not validated correctly for HTML tags so an attacker can use <script< tags to alter the output that is displayed to the browser. Possible attacks are varied, and can include creating a false login page to capture authentication details.
Example
The simple example below demonstrates the vulnerability. If the following GET request is sent to the webserver listening on the default port of 8987:
http://host:8987/?<script>alert('vulnerable to XSS');</script>
The result of this is shown in the this screenshot:
Affected Versions
Version 7.1.13 is affected by this vulnerability, possibly older version 7 versions also are affected. The previous version 6.5.11 is not affected by this issue. At this time the windows and source code versions have been tested.
Solution
Upgrade to version 7.1.14 or newer.
Timeline
- The vulnerability was first discovered on 22nd August 2005.
- The vulnerability was reported to Flowerfire on 25th August 2005.
- New version released on 8th September 2005.
This advisory was first released on 8th September 2005.