[Japanese]

JVNDB-2010-000035

Cross-site scripting vulnerability in Access Analyzer CGI by futomi's CGI Cafe

Overview

Access Analyzer CGI from futomi's CGI Cafe contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page.

Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page.

According to the developer, users of the Professional version that are using the "Method to load js files for tags within the head tag" as stated in the manual are not affected by this vulnerability.

Katsumi Kobayashi of NRI Secure Technologies, Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


futomi Co.,Ltd.
  • Access Analyzer CGI Professional Version
  • Access Analyzer CGI Standard Version 4.0.2 and earlier

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Change the method in which tags are embedded]
Use the "Method to load js files for tags within the head tag" that is described in the manual

Note that users of the Standard version require an update to the software prior to making this change.
Vendor Information

futomi Co.,Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2010-2366
References

  1. JVN : JVN#35605523
  2. National Vulnerability Database (NVD) : CVE-2010-2366
  3. SecurityFocus : 43142
Revision History

[2010/09/10]
  Web page published