CWE-117: Improper Output Neutralization for Logs

Description

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

This can allow an attacker to forge log entries or inject malicious content into logs.

Log forging vulnerabilities occur when:

  1. Data enters an application from an untrusted source.
  2. The data is written to an application or system log file.

Example Vulnerable Codes

Example - 1

The following web application code attempts to read an integer value from a request object. If the parseInt call fails, then the input is logged with an error message indicating what happened.



int value = Integer.parseInt(val);
log.info("Failed to parse val = " + val);
String val = request.getParameter("val");try {}catch (NumberFormatException) {}...

If a user submits the string "twenty-one" for val, the following entry is logged:

INFO: Failed to parse val=twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

INFO: Failed to parse val=twenty-oneINFO: User logged out=badguy

Clearly, attackers can use this same mechanism to insert arbitrary log entries.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-20: Improper Input Validation
Go to
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Go to
CWE-116: Improper Encoding or Escaping of Output
Go to

Visit http://cwe.mitre.org/ for more details.