Webfwlog Security Page


Versions 0.91 and 0.92 of webfwlog are subject to a potential directory traversal vulnerability if PHP has register_globals enabled. See CVE-2007-0585. It is recommended that all users of webfwlog < 0.93 upgrade to the latest version.


All versions of webfwlog before 0.91 are subject to a trivially exploitable SQL injection vulnerability when querying data in a ulog database. If your data is in syslog files this vulnerability is not present.


All webfwlog versions before 0.91 by default allowed the user to add raw SQL to the WHERE and HAVING clause of the queries sent to the database server. In older versions of webfwlog this was the only way to select packets based on some fields, and embedded quoted strings are difficult to escape, so the entire user provided input was sent as-is. All logged fields now have specific selectors so in most cases it is not necessary to add raw SQL to a query, and everything entered by the user is properly validated and escaped. Accordingly, the ability to add raw SQL is now disabled by default, and must be explicitly enabled in the webfwlog.conf file.

Saved reports from older versions of webfwlog that made use of this feature (e.g., to specify multiple ports in webfwlog versions < 0.87) will need to me modified using the report editor. In particular, some of the sample reports included in the webfwlog distribution for versions < 0.87 used this feature and these reports and any reports based on them will need to be modified. The affected reports are tcpports, tcpsyn, and recent_active.

Even if present in a saved report, the additional_where and additional_having fields are ignored if allow_additional_where is disabled (default). In order to modify these reports it will be necessary to temporarily enable the allow_additional_where parameter in the webfwlog. After saving the modified reports the allow_additional_where parameter should be disabled.

It is recommended that all users of webfwlog < 0.91 upgrade to the latest version.

You can download the latest release from this site or from Sourceforge.