JVN#63511247
Access Analyzer CGI Professional Version vulnerability allows third party to gain administrative privileges
Overview
Access Analyzer CGI Professional Version from futomi's CGI Cafe contains a vulnerability that allows an attacker to gain administrative privileges.
Products Affected
- Access Analyzer CGI Professional Version Ver 4.11.5 and earlier
Description
Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI Professional Version contains a vulnerability that allows an attacker to gain administrative privileges.
Impact
A remote attacker could impersonate an administrator of Access Analyzer CGI Professional Version
Solution
Update the Software
Update to the latest version according to the information provided by the vendor.
Workarounds
As a workaround to this vulnerability, change the settings in the server where the software is installed and disable access to the administrator menu until the software is updated.
Vendor Status
| Vendor | Link |
| futomi's CGI Cafe |
Update for the users of Access Analyzer CGI Professional Version (Japanese Only) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2009.03.31
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | None - the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
Taketo Ikeuchi and Seiki Sugahara reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2009-1206 |
| JVN iPedia |
JVNDB-2009-000016 |