Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

EGI CSIRT:Alerts/elog-2010-08-18

From EGIWiki
Revision as of 13:58, 18 August 2010 by Lnixon (talk | contribs) (Created page with '{{Egi-csirt-header|Moderate Vulnerabilities in Elog Web Application}} <pre><nowiki> Title: Medium Impact Vulnerability in Elog Web Application Date: August 18, 2010 Summary ---…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination



Title: Medium Impact Vulnerability in Elog Web Application
Date:  August 18, 2010

Summary
-------

Elog is a stand-alone weblog, popular in the scientific community. It
allows easy exchange of messages between users. It is written in C and
maintained by Stefan Ritt of PSI.

Elog versions prior to 2.8.0 contain vulnerabilites that allow user
passwords to be stolen, and may allow arbitrary code execution.

This advisory is based on information graciously provided by CERN.


Details
-------

Three security issues have been identified in the Elog application:

1. Incorrect use of cryptography which could lead to password leaks and
other problems. The new version automatically converts the password file
to the new format. However, if encryption was enabled previously, this
update will have the effect that all of the users will have to re-type
their passwords (via the "forgot password" mechanism). It is nonetheless
recommended to convert.

2. XSS problem (which combined with the problem above is a viable
channel for the password theft).

3. Unspecified vulnerability, potentially allowing execution of arbitrary
code by the local users (via stack buffer overflow).

The problems were identified by Lukasz Olejnik (CERN/PSNC).

The new version 2.8.0 introduces fixes to these problems. Please find it
here: https://midas.psi.ch/elog/


Recommended Actions
-------------------

Affected sites are recommended to update their Elog instances as soon as
possible.