Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-11591

Log Forging in DispatcherServlet via requestURI

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 3.2.8, 4.0.2
    • Fix Version/s: 3.2.9, 4.0.3
    • Component/s: Web
    • Labels:
    • Last commented by a User:
      true

      Description

      There is an security issue on line 843/844. An attacker can manipulate the log via malicious request.

      The method doService extracts the URI from the request and uses it unvalidated.

      Source:

      logger.debug("DispatcherServlet with name '" + getServletName() + "'" + resumed +
      		" processing " + request.getMethod() + " request for [" + requestUri + "]");
      

      An attacker can forge the log by sending a request containing %0D%0A

      Like: /app/home%0D%0AFAKE

      The log will looks like:

      08:34:50.145 [http-bio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcher' processing GET request for [/app/home
      FAKE]
      

        Attachments

          Activity

            People

            Assignee:
            juergen.hoeller Juergen Hoeller
            Reporter:
            dariusb Darius Bohni
            Last updater:
            Spring Issues Spring Issues
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              3 years, 30 weeks, 1 day ago