https://bz.apache.org/bugzilla/show_bug.cgi?id=58040
Bug ID: 58040
Summary: Log Forging
Product: POI
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: POI Overall
Assignee: [email protected]
Reporter: [email protected]
Log files created by poi can be manipulated. For example in
MessageSubmissionChunk:
logger.log(POILogger.WARN, "Warning - unable to make sense of date " +dateS);
where dataS can contain unvalidated user input. An attacker could take
advantage of this behavior to forge log entries or inject malicious content
into the log.
Explanation:
Log forging vulnerabilities occur when:
1. Data enters an application from an untrusted source.
2. The data is written to an application or system log file.
Applications typically use log files to store a history of events or
transactions for later review, statistics gathering, or debugging. Depending on
the nature of the application, the task of reviewing log files may be performed
manually on an as-needed basis or automated with a tool that automatically
culls logs for important events or trending information.
Interpretation of the log files may be hindered or misdirected if an attacker
can supply data to the application that is subsequently logged verbatim. In the
most benign case, an attacker may be able to insert false entries into the log
file by providing the application with input that includes appropriate
characters. If the log file is processed automatically, the attacker can render
the file unusable by corrupting the format of the file or injecting unexpected
characters. A more subtle attack might involve skewing the log file statistics.
Forged or otherwise, corrupted log files can be used to cover an attacker's
tracks or even to implicate another party in the commission of a malicious act.
In the worst case, an attacker may inject code or other commands into the log
file and take advantage of a vulnerability in the log processing utility.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
