ModLogAn is a freely available, open-source log file analyzer. It can process log files from a number of different services including webservers (Apache, MS IIS, Netscape), FTP servers (wu-ftpd, proftpd, etc.) and mail servers (sendmail, qmail), and a variety of other sources. ModLogAn can be run on many Unix and Linux variants, as well as Microsoft Windows NT/2000 systems. A vulnerability exists in the splitby option of the processor_web plugin, and should only affect systems which have this feature enabled. It may allow a local attacker to overwrite root-owned files via symlink attacks. The splitby function enables a user to split logfiles into seperate reports per each virtual host. Splitby does not adequately validate input. When attempting to parse a log entry that has a hostname that starts with dot-dot slash (../) sequences, it is possible that the ModLogAn output may end up in an unexpected directory of the attacker's choosing. Vulnerable versions of ModLogAn run as root. A...
ModLogAn is a freely available, open-source log file analyzer. It can process log files from a number of different services including webservers (Apache, MS IIS, Netscape), FTP servers (wu-ftpd, proftpd, etc.) and mail servers (sendmail, qmail), and a variety of other sources. ModLogAn can be run on many Unix and Linux variants, as well as Microsoft Windows NT/2000 systems. A vulnerability exists in the splitby option of the processor_web plugin, and should only affect systems which have this feature enabled. It may allow a local attacker to overwrite root-owned files via symlink attacks. The splitby function enables a user to split logfiles into seperate reports per each virtual host. Splitby does not adequately validate input. When attempting to parse a log entry that has a hostname that starts with dot-dot slash (../) sequences, it is possible that the ModLogAn output may end up in an unexpected directory of the attacker's choosing. Vulnerable versions of ModLogAn run as root. A malicious local user may capitalize on this opportunity to use symlink attacks to overwrite root-owned files. This may enable the local attacker to destroy critical data, cause a denial of services, or possibly escalate privileges. It should be noted exploitation of this issue may depend on external vulnerabilities in server products. Like for example, BugTraq ID 3596 "Apache Split-Logfile File Append Vulnerability", as an attacker must have a way to append malicious data to the log files that ModLogAn parses. The type of log files ModLogAn parses would not normally be alterable by unprivileged users.
