Detections
Analytics

Debian DSA-125-1 : analog - XSS

high Nessus Plugin ID 14962

Synopsis

The remote Debian host is missing a security-related update.

Description

Yuji Takahashi discovered a bug in analog which allows a cross-site scripting type attack. It is easy for an attacker to insert arbitrary strings into any web server logfile. If these strings are then analysed by analog, they can appear in the report. By this means an attacker can introduce arbitrary JavaScript code, for example, into an analog report produced by someone else and read by a third person.
Analog already attempted to encode unsafe characters to avoid this type of attack, but the conversion was incomplete.

Solution

Upgrade the analog package immediately.

This problem has been fixed in the upstream version 5.22 of analog.
Unfortunately patching the old version of analog in the stable distribution of Debian instead is a very large job that defeats us.

See Also

http://www.debian.org/security/2002/dsa-125

Plugin Details

Severity: High

ID: 14962

File Name: debian_DSA-125.nasl

Version: 1.20

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:analog, cpe:/o:debian:debian_linux:2.2

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 3/28/2002

Reference Information

CVE: CVE-2002-0166

BID: 4389

DSA: 125