Bug#570740: apache: log file injection
On Mon, 22 Feb 2010 21:37:40 +0100, Stefan Fritsch wrote:
> Hi Michael,
>
> I don't think there is anything in Apache that should be changed for
> these issues. I will close the bug and mark them as unimportant in the
> security tracker:
>
> On Sunday 21 February 2010, Michael Gilbert wrote:
> > CVE-2003-1580[0]:
> > | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> > | client IP addresses, uses a logging format that does not identify
> > | whether a dotted quad represents an unresolved IP address, which
> > | allows remote attackers to spoof IP addresses via crafted DNS
> > | responses containing numerical top-level domains, as demonstrated
> > | by a forged 123.123.123.123 domain name, related to an "Inverse
> > | Lookup Log Corruption (ILLC)" issue.
>
> This doesn't seem much different from a PTR record pointing to an
> arbitrary domain name. Both cases can be handled by doing double
> reverse lookups. Apache does this if configured with "HostNameLookups
> double". It should be well known that single reverse lookups are
> unreliable, so I don't see a security issue here.
>
> > CVE-2003-1581[1]:
> > | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> > | client IP addresses, allows remote attackers to inject arbitrary
> > | text into log files via an HTTP request in conjunction with a
> > | crafted DNS response, as demonstrated by injecting XSS sequences,
> > | related to an "Inverse Lookup Log Corruption (ILLC)" issue.
>
> This is purely a log analyzer issue. Apache correctly escapes control
> characters in hostnames. For everything else, the log analyzer is
> responsible.
i came to the same conclusions, and i've already marked the issues
unimportant in the tracker. my goal for the bug report was to get a
second opinion from someone more familiar with apache. thanks!
mike
Reply to: