apache: log file injection

Debian Bug report logs - #570740
apache: log file injection

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: apache: log file injection

Date: Sun, 21 Feb 2010 01:29:02 -0500

Package: apache2
Severity: normal
Tags: security

Hi, the following issues were dislcosed in 2003 for apache, but they
just got CVE numbers a few days ago. I haven't checked whether the
latest version of apache2 is affected, and if it isn't, please close
this bug. The problem actually seems rather unimportant to me since the
real issue is input sanitization for any vulnerable apache log analyzer.

CVE-2003-1580[0]:
| The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
| client IP addresses, uses a logging format that does not identify
| whether a dotted quad represents an unresolved IP address, which
| allows remote attackers to spoof IP addresses via crafted DNS
| responses containing numerical top-level domains, as demonstrated by a
| forged 123.123.123.123 domain name, related to an "Inverse Lookup Log
| Corruption (ILLC)" issue.

CVE-2003-1581[1]:
| The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
| client IP addresses, allows remote attackers to inject arbitrary text
| into log files via an HTTP request in conjunction with a crafted DNS
| response, as demonstrated by injecting XSS sequences, related to an
| "Inverse Lookup Log Corruption (ILLC)" issue.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1580
    http://security-tracker.debian.org/tracker/CVE-2003-1580
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1581
    http://security-tracker.debian.org/tracker/CVE-2003-1581

Message #10 received at 570740-done@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Michael Gilbert <michael.s.gilbert@gmail.com>

Cc: 570740-done@bugs.debian.org

Subject: Re: Bug#570740: apache: log file injection

Date: Mon, 22 Feb 2010 21:37:40 +0100

Hi Michael,

I don't think there is anything in Apache that should be changed for 
these issues. I will close the bug and mark them as unimportant in the 
security tracker:

On Sunday 21 February 2010, Michael Gilbert wrote:
> CVE-2003-1580[0]:
> | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> | client IP addresses, uses a logging format that does not identify
> | whether a dotted quad represents an unresolved IP address, which
> | allows remote attackers to spoof IP addresses via crafted DNS
> | responses containing numerical top-level domains, as demonstrated
> | by a forged 123.123.123.123 domain name, related to an "Inverse
> | Lookup Log Corruption (ILLC)" issue.

This doesn't seem much different from a PTR record pointing to an 
arbitrary domain name. Both cases can be handled by doing double 
reverse lookups. Apache does this if configured with "HostNameLookups 
double". It should be well known that single reverse lookups are 
unreliable, so I don't see a security issue here.

> CVE-2003-1581[1]:
> | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> | client IP addresses, allows remote attackers to inject arbitrary
> | text into log files via an HTTP request in conjunction with a
> | crafted DNS response, as demonstrated by injecting XSS sequences,
> | related to an "Inverse Lookup Log Corruption (ILLC)" issue.

This is purely a log analyzer issue. Apache correctly escapes control 
characters in hostnames. For everything else, the log analyzer is 
responsible.

Cheers,
Stefan

Message #15 received at 570740@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 570740@bugs.debian.org

Subject: Re: Bug#570740: apache: log file injection

Date: Mon, 22 Feb 2010 16:13:27 -0500

On Mon, 22 Feb 2010 21:37:40 +0100, Stefan Fritsch wrote:
> Hi Michael,
> 
> I don't think there is anything in Apache that should be changed for 
> these issues. I will close the bug and mark them as unimportant in the 
> security tracker:
> 
> On Sunday 21 February 2010, Michael Gilbert wrote:
> > CVE-2003-1580[0]:
> > | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> > | client IP addresses, uses a logging format that does not identify
> > | whether a dotted quad represents an unresolved IP address, which
> > | allows remote attackers to spoof IP addresses via crafted DNS
> > | responses containing numerical top-level domains, as demonstrated
> > | by a forged 123.123.123.123 domain name, related to an "Inverse
> > | Lookup Log Corruption (ILLC)" issue.
> 
> This doesn't seem much different from a PTR record pointing to an 
> arbitrary domain name. Both cases can be handled by doing double 
> reverse lookups. Apache does this if configured with "HostNameLookups 
> double". It should be well known that single reverse lookups are 
> unreliable, so I don't see a security issue here.
> 
> > CVE-2003-1581[1]:
> > | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> > | client IP addresses, allows remote attackers to inject arbitrary
> > | text into log files via an HTTP request in conjunction with a
> > | crafted DNS response, as demonstrated by injecting XSS sequences,
> > | related to an "Inverse Lookup Log Corruption (ILLC)" issue.
> 
> This is purely a log analyzer issue. Apache correctly escapes control 
> characters in hostnames. For everything else, the log analyzer is 
> responsible.

i came to the same conclusions, and i've already marked the issues
unimportant in the tracker.  my goal for the bug report was to get a
second opinion from someone more familiar with apache.  thanks!

mike

Send a report that this bug log contains spam.