EGI SVG Advisories

Title: Medium Impact Vulnerability in Elog Web Application
Date:  August 18, 2010

Summary
-------

Elog is a stand-alone weblog, popular in the scientific community. It
allows easy exchange of messages between users. It is written in C and
maintained by Stefan Ritt of PSI.

Elog versions prior to 2.8.0 contain vulnerabilities that allow user
passwords to be stolen, and may allow arbitrary code execution.

This advisory is based on information graciously provided by CERN.


Details
-------

Three security issues have been identified in the Elog application:

1. Incorrect use of cryptography which could lead to password leaks and
other problems. The new version automatically converts the password file
to the new format. However, if encryption was enabled previously, this
update will have the effect that all of the users will have to re-type
their passwords (via the "forgot password" mechanism). It is nonetheless
recommended to convert.

2. XSS problem (which combined with the problem above is a viable
channel for the password theft).

3. Unspecified vulnerability, potentially allowing execution of arbitrary
code by the local users (via stack buffer overflow).

The problems were identified by Lukasz Olejnik (CERN/PSNC).

The new version 2.8.0 introduces fixes to these problems. Please find it
here: https://midas.psi.ch/elog/


Recommended Actions
-------------------

Affected sites are recommended to update their Elog instances as soon as
possible.