Product:  LogAnalyzer
Version:  3.6.0
Vendor:  www.adiscon.com
Vulnerability type:  Cross Site Scripting
Risk level: Low
Vendor notification: 2012-12-15
Patch Release: 2012-12-19
Public disclosure: 2012-12-20
Author: Mohd Izhar Bin Ali aka johncrackernet
Website: http://johncrackernet.blogspot.com

Details:
A cross-site scripting vulnerability existed in the asktheoracle.php page. An attacker could use it to execute arbitrary HTML and Script code by using the oracle_query parameter.

Proof of Concept:
The 'oracle_query' parameter didn't sanitize properly for asktheoracle.php page.
http://192.168.1.10/loganalyzer-3.6.0/asktheoracle.php?type=searchstr&oracle_query=<script>alert("XSS")<script>

Solutions:
Upgrade to the latest version of Log Analyzer 3.6.1



Reference:
http://loganalyzer.adiscon.com/security-advisories/loganalyzer-cross-site-scripting-vulnerability-in-oracle_query-paramater