search

Code-Racing / brickyard

0 stars 0 forks source link

CONTRAST: Log Injection from "input" Parameter on "/servlet-2.5/log-string" page #33

Open valvolineford opened 4 years ago

valvolineford commented 4 years ago

Vulnerability ID: C1SD-W2O5-GWPS-GBY4

Application Name: AgentMessageGeneratorJava

Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/6394f24f-037b-43bb-8ac2-05fa5fb5d862/vulns/C1SD-W2O5-GWPS-GBY4

What Happened?

We tracked the following data from "input" Parameter:

GET /servlet-2.5/log-string?input=value

...which was accessed within the following code:

com.contrastsecurity.testapp.servlet25.log.LogStringServlet#doGet(), line 31

...and ended up in this log message:

value

What's the risk?

The application takes data from the user and writes it to a log file without validation or encoding. Technically, a user could provide newline characters and spoof new log entries. It's unlikely that this could cause real harm to any of the application stakeholders, but some regulations require log file integrity to be controlled.

Recommendation

Sanitize or validate all input that is going to be logged. Make sure users can't provide newline characters that get into log messages.

First Event


Stack:
  org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:355)
  com.contrastsecurity.testapp.servlet25.log.LogStringServlet.doGet(LogStringServlet.java:25)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
  org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
  org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
  org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
  org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
  org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
  org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
  org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
  org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
  org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
  org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  java.lang.Thread.run(Thread.java:701)

Last Event


Stack:
  com.contrastsecurity.testapp.servlet25.log.LogStringServlet.log(LogStringServlet.java:43)
  com.contrastsecurity.testapp.servlet25.log.LogStringServlet.doGet(LogStringServlet.java:31)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
  org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
  org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
  org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
  org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
  org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
  org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
  org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
  org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
  org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
  org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  java.lang.Thread.run(Thread.java:701)

HTTP Request

GET http://localhost:32814/servlet-2.5/log-string?input=value HTTP/1.0 Connection: Keep-Alive Host: localhost:32814 Contrast-Mq-Name: queue-039-HttpServlet25ForwardCompatibleMixin.it_tests_servlet_log_sinks-contrastsecurity-docker.jfrog.io/contrast/jboss-servlet-2.5:5.1.0.CR1-rev1 User-Agent: okhttp/3.9.1 Accept-Encoding: gzip