Skip to content
This repository was archived by the owner on Jan 22, 2024. It is now read-only.

MNT-20203 Improper Output Neutralization for Logs CWE ID 117#91

Open
LMRob wants to merge 1 commit into
Alfresco:developfrom
LMRob:MNT-20203
Open

MNT-20203 Improper Output Neutralization for Logs CWE ID 117#91
LMRob wants to merge 1 commit into
Alfresco:developfrom
LMRob:MNT-20203

Conversation

@LMRob

@LMRob LMRob commented Jan 31, 2019

Copy link
Copy Markdown

A function call could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible.

  • added a new java class to neutralize logs output
  • imported esapi library to encode logs for html output
  • override log4j to use new custom layout class as the layout pattern for share.log

A function call could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible.

- added a new java class to neutralize logs output
- imported esapi library to encode logs for html output
- override log4j to use new custom layout class as the layout pattern for share.log
@mikeh

mikeh commented Feb 13, 2019

Copy link
Copy Markdown

I believe the same comments apply here as do from @skopf on the sibling PR for the remote-api project - see Alfresco/alfresco-remote-api#145 (comment)

@LMRob

LMRob commented Feb 18, 2019

Copy link
Copy Markdown
Author

Thanks Mike. I have responded with design comments / options in JIRA.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants