Title: ModLogAn Splitby Input Validation Vulnerability
Severity: MODERATE
Description:
ModLogAn is a freely available, open-source log file analyzer. It can process log files from a number of different services including webservers (Apache, MS IIS, Netscape), FTP servers (wu-ftpd, proftpd, etc.) and mail servers (sendmail, qmail), and a variety of other sources. ModLogAn can be run on many Unix and Linux variants, as well as Microsoft Windows NT/2000 systems.
An issue in ModLogAn has been reported which may make it possible for a local attacker to use symlink attacks to overwrite root-owned files. This vulnerability is in the splitby option of the processor_web plugin, and should only affect systems which have this feature enabled.
The splitby function enables a user to split logfiles into seperate reports per each virtual host. When the splitby option parses entries in log files, it does not adequately validate the input.
When attempting to parse a log entry that has a hostname that starts with dot-dot slash (../) sequences, it is possible that the ModLogAn output may end up in an unexpected directory of the attacker's choosing. Vulnerable versions of ModLogAn run as root. A malicious local user may capitalize on this opportunity to use symlink attacks to overwrite root-owned files. This may enable the local attacker to destroy critical data, cause a denial of services, or possibly escalate privileges.
It should be noted exploitation of this issue may depend on external vulnerabilities in server products. Like for example, BugTraq ID 3596 "Apache Split-Logfile File Append Vulnerability", as an attacker must have a way to append malicious data to the log files that ModLogAn parses. The type of log files ModLogAn parses would not normally be alterable by unprivileged users.
Affected Products:
- ModLogAn ModLogAn 0.5.0
- ModLogAn ModLogAn 0.5.6
- ModLogAn ModLogAn 0.5.7
- ModLogAn ModLogAn 0.6.0
- ModLogAn ModLogAn 0.7.11
References:
- ModLogAn: ModLogAn Announcement
- ModLogAn: ModLogAn Product Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
