ELOG < 2.6.2 Multiple Vulnerabilities
High Nessus Network Monitor Plugin ID 3379
SynopsisThe remote host is vulnerable to multiple attack vectors.
DescriptionThe remote host appears to be using ELOG, a web-based electronic logbook application. The version of ELOG installed on the remote host fails to filter directory traversal strings before processing GET requests. An attacker can exploit this issue to retrieve the contents of arbitrary files from the remote host, subject to the privileges under which ELOG runs. In addition, the application is reportedly affected by a format string vulnerability in the 'write_logfile'. Provided logging is enabled, an attacker may be able to exploit this via the 'uname' parameter of the login form to crash the application or execute arbitrary code remotely.
SolutionUpgrade to version 2.6.2 or higher.