• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

DeepMetrix LiveStats HTML Report Script Injection Vulnerability

LiveStats parses web server log files into an SQL database, enabling a user to generate reports defining site traffic. The HTML generated reports are viewed through the LiveStats web browser interface. LiveStats runs on Microsoft Windows and is maintained by DeepMetrix, formerly known as MediaHouse Software.

LiveStats does not filter HTML tags when generating reports. As a result, it is possible for an attacker to cause arbitrary script code to be included in HTML reports generated by LiveStats. When a user views the report page via the browser interface, the script code will be executed in their browser, in the context of the LiveStats host.

This issue has been reported in 6.2, prior versions may also be affected by this issue.