The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of ELOG: several vulnerabilities

Synthesis of the vulnerability 

Several vulnerabilities of ELOG permit an attacker to execute code, to generate a denial of service or to use Cross Site Scripting attacks.
Impacted systems: Debian.
Severity of this alert: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 28/12/2006.
Références of this alert: BID-20181, BID-20876, BID-20881, BID-20882, CVE-2006-5063, CVE-2006-5790, CVE-2006-5791, CVE-2006-6318, DSA-1242-1, VIGILANCE-VUL-6425.

Description of the vulnerability 

The ELOG program (Electronic Logbook) is a logbook. It contains several vulnerabilities.

An attacker can generate a Cross Site Scripting attack during the HTML edition of a log entry. [severity:2/4; BID-20181, CVE-2006-5063]

The el_submit(), receive_config(), show_rss_feed(), show_elog_list(), show_logbook_node() and server_loop() functions of elogd.c contain several format string errors which can lead to code execution. [severity:2/4; BID-20876, CVE-2006-5790]

The send_file_direct() and submit_elog() functions do no correctly filter their parameters, which creates Cross Site Scripting vulnerabilities. [severity:2/4; BID-20881, BID-20882, CVE-2006-5791]

A malformed configuration file leads to a dereference of a NULL pointer. [severity:2/4; CVE-2006-6318]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Debian.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 4 vulnerabilities.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat 

Debian: new elog packages.
New packages are available:
  AMD64 architecture:
    http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_amd64.deb
      Size/MD5 checksum: 512510 48ee1c675cefa6a0b0af01f7cbb9f079
  Intel IA-32 architecture:
    http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_i386.deb
      Size/MD5 checksum: 514786 c14108b91d171ac38b0104ae769cfc96
  Intel IA-64 architecture:
    http://security.debian.org/pool/updates/main/e/elog/elog_2.5.7+r1558-4+sarge3_ia64.deb
      Size/MD5 checksum: 598224 df22b05edfb9dfab43cc69233f2d88e4
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.