CWE-117: Improper Output Neutralization for Logs
Description
The product does not neutralize or incorrectly neutralizes output that is written to logs.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
This can allow an attacker to forge log entries or inject malicious content into logs.
Log forging vulnerabilities occur when:
- Data enters an application from an untrusted source.
- The data is written to an application or system log file.
Example - 1
The following web application code attempts to read an integer value from a request object. If the parseInt call fails, then the input is logged with an error message indicating what happened.
int value = Integer.parseInt(val);
log.info("Failed to parse val = " + val);
String val = request.getParameter("val");try {}catch (NumberFormatException) {}...
If a user submits the string "twenty-one" for val, the following entry is logged:
However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:
Clearly, attackers can use this same mechanism to insert arbitrary log entries.
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.