The problem is a very old one, known at least since the
1980ies. There are discussions, whether this qualifies
as a security problem of some software writing to a logfile or
as a problem of the terminal emulators (which it actually is).
IMHO, this discussion is worthless. Some vendors of
webservers even seem to refuse to fix this.
Actually, every software writing "unfiltered" to some terminals
is dangerous, even a grep. The real security problem are
some terminal emulations, but there are many of these.
The evil thing is that writing to the log file at the first
place does nothing bad, but looking at the logfile with
some standard tools can rise the problem - it is
a sleeper attack. If the log file is e.g. accessible via NFS,
the machines of developer developers watching the log file
are under attack.
As mentioned above this is not only a problem of
aolserver, but potentially of more or less all logging
programs or programs writing unfiltered to a terminal,
such as e.g. database management systems, etc.
If you're super-paranoid, don't "tail -f" access log files or other
files that an attacker can write to through accessing a service on your
system. Get into the habit of "cat -v $FILENAME" to make sure
non-printable characters are escaped, intead of being fed unfiltered to
your terminal program.
or " tail -f ... | cat -v"
-gustaf neumann
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
