← Advisories

XpoLog Center V6 CSRF Remote Command Execution

High
Advisory ID
ZSL-2016-5335
Release Date
01 July 2016
Vendor
XpoLog LTD - http://www.xpolog.com
Affected Version
6.4469, 6.4254, 6.4252, 6.4250, 6.4237, 6.4235, 5.4018
CVE
N/A
Tested On
Apache-Coyote/1.1, Microsoft Windows Server 2012, Microsoft Windows 7 Professional SP1 EN 64bit, Java/1.7.0_45, Java/1.8.0.91
Summary

Applications Log Analysis and Management Platform.

Description

XpoLog suffers from arbitrary command execution. Attackers can exploit this issue using the task tool feature and adding a command with respected arguments to given binary for execution. In combination with the CSRF an attacker can execute system commands with SYSTEM privileges.

Proof of Concept
xpolog_cmd.txtTXT
Disclosure Timeline
14.06.2016Vulnerability discovered.
21.06.2016Contact with the vendor.
30.06.2016No response from the vendor.
01.07.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2016-5334
[2]https://cxsecurity.com/issue/WLB-2016070008
[3]https://www.exploit-db.com/exploits/40050/
[4]https://packetstormsecurity.com/files/137747
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/114725
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/114729
Changelog
01.07.2016Initial release
02.07.2016Added reference [2]
04.07.2016Added reference [3]
06.07.2016Added reference [4], [5] and [6]