You’ll note that the second line lacks tags which help identify a new log record. OWASP makes some good observations, and a casual observer might make incorrect assumptions.
Admittedly, I don’t view syslog as a particularly secure thing (it isn’t!), and relying on it for very much is rather risk IMO. You can make it more reliable by using a dedicated log host that doesn’t do anything else, and that is very tightly locked down, but even that can be subject to log injection attacks. I think rsyslog, syslog-ng, and so forth have encryption capabilities which may make it harder to perform log injection attacks against a the log host, unless the attacker is able to cause a trusted machine to generate log entries — but that’s often not very hard. - Garrett > On Nov 12, 2014, at 5:57 AM, Johann 'Myrkraverk' Oskarsson via > illumos-discuss <[email protected]> wrote: > > Hi all, > > First, about log injection: > > https://www.owasp.org/index.php/Log_injection > > I do not know about a better reference for it. > > My current system is OI 151a8. > > When I do > > syslog( LOG_DEBUG, "Hello\nworld" ); > > in perl (and I assume C is the same), I get > > Nov 12 13:31:56 asuka logtest[14973]: [ID 702911 user.debug] Hello > Nov 12 13:31:56 asuka world > > in my log file. Which is exactly the kind of vulnerability OWASP is > talking about. > > I have not tried other control characters, yet. > > For the record, Ubuntu's rsyslog encodes control characters with # > escaped octal numbers, like #007. > > I have personally no opinion if this behaviour should change, it's a > simple heads up about a documented vulnerability at OWASP. > > -- > Johann > > I'm not from the internet, I just work there. > > > ------------------------------------------- > illumos-discuss > Archives: https://www.listbox.com/member/archive/182180/=now > RSS Feed: https://www.listbox.com/member/archive/rss/182180/22003744-9012f59c > Modify Your Subscription: https://www.listbox.com/member/?&; > Powered by Listbox: http://www.listbox.com ------------------------------------------- illumos-discuss Archives: https://www.listbox.com/member/archive/182180/=now RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be Modify Your Subscription: https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4 Powered by Listbox: http://www.listbox.com
