SECURITY ADVISORY 20th March 2002 ---------------------------------------------------------------------- Program: analog Versions: all versions prior to 5.22 Operating systems: all ---------------------------------------------------------------------- Yuji Takahashi discovered a bug in analog which allows a cross-site scripting type attack. It is easy for an attacker to insert arbitrary strings into any web server logfile. If these strings are then analysed by analog, they can appear in the report. By this means an attacker can introduce arbitrary Javascript code, for example, into an analog report produced by someone else and read by a third person. Analog already attempted to encode unsafe characters to avoid this type of attack, but the conversion was incomplete. Although it is not known that this bug has been exploited, it is easy to exploit, and all users are advised to upgrade to version 5.22 of analog immediately. The URL for analog is http://www.analog.cx/ I apologise for the inconvenience. Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki for their help with this bug. Stephen Turner [email protected]
Stephen Turner