CWE - CWE-117: Incorrect Output Sanitization for Logs (1.0)

Home > CWE List > CWE- Individual Dictionary Definition (1.0)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-117: Incorrect Output Sanitization for Logs

Individual Definition in a New Window

Incorrect Output Sanitization for Logs

Status: Draft

Weakness ID: 117 (Weakness Base)

Description

Summary

Writing unsanitized user input into log files can allow an attacker to forge log entries or inject malicious content into logs.

Likelihood of Exploit

Medium

Weakness Ordinalities

Primary (where the weakness exists independent of other weaknesses)

Causal Nature

Explicit (an explicit weakness resulting from behavior of the developer)

Potential Mitigations

Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data to be diplayed or stored. Use an "accept known good" validation strategy.

Use and specify a strong output encoding (such as ISO 8859-1 or UTF 8).

Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.

Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked.

Demonstrative Examples

The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

...

String val = request.getParameter("val");

try {

int value = Integer.parseInt(val);

}

catch (NumberFormatException) {

log.info("Failed to parse val = " + val);

}

...

If a user submits the string "twenty-one" for val, the following entry is logged: INFO: Failed to parse val=twenty-one However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged: INFO: Failed to parse val=twenty-one INFO: User logged out=badguy Clearly, attackers can use this same mechanism to insert arbitrary log entries.

Observed Examples

Reference	Description
CVE-2006-4624	Chain: inject fake log entries with fake timestamps using CRLF injection

Other Notes

Log forging vulnerabilities occur when: 1. Data enters an application from an untrusted source. 2. The data is written to an application or system log file. Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information. Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [22]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [17].

References

[17] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

[22] A. Muffet. "The night the log was forged". <http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm>.

OWASP. "OWASP TOP 10". <http://www.owasp.org/index.php/Top_10_2007>.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	116	Insufficient Output Sanitization	Research Concepts (primary)1000
ChildOf	Weakness Class	20	Insufficient Input Validation	Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700
CanFollow	Weakness Base	93	Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')	Research Concepts1000

Taxonomy Mappings

Mapped Taxonomy Name	Mapped Node Name
7 Pernicious Kingdoms	Log Forging

Applicable Platforms

Languages

All

Time of Introduction

Implementation

Related Attack Patterns

CAPEC-ID	(CAPEC Version 1.1)Attack Pattern Name
81	Web Logs Tampering
93	Log Injection-Tampering-Forging

Content History

Submissions

7 Pernicious Kingdoms. (Externally Mined)

Modifications

Eric Dalci. Cigital. 2008-07-01. (External)

updated References, Potential_Mitigations, Time_of_Introduction

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities

Previous Entry Names

Log Forging (changed 2008-04-11)

Page Last Updated: September 10, 2008


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us