ossec-splunk

Analogi ( Web Interface for OSSEC ) SQL Injection Vulnerability

Hey

This weekend, I’ve decided to install Ossec into my lab. I was planning see how ossec is working and what is detection rate on reverse/bind connections.. When I’ve installed Ossec agent and server I was thinking about develop nodeJS application in order to print out every data on screen with real time so I decided to search similar project like this. After several google search I came across with Analogi.

https://github.com/ECSC/analogi

Technical Analysis

Analogi has been developed with PHP and it’s can be found on github. Actually it seems quite popular to me. I thought I should look at source code for stored xss and sqli. Because ossec gathering data from agents and this “data” should be generated by clients (attackers) . I was reading codes from this perspective but I’ve found something else, sql injection and it’s very basic one.

Following codes grabbed from manager.php file.

Line 1 = Expect action variable as a defined and equal to delete. Also Referer should be equal to manager.php file.

Line 2 = Good comments..

Line 24 = Use path variable into the query without any sanitaze and set it into the $where variable.

Line 30 = Append $where variable end of the query string.

There is too many other vulnerability can be found same file.

Result

Analogi can be usefull but it really non-secure app. I would recommed Logstash or similar technologies rather then php apps.