Ticket #1551 (new defect)

Opened 5 months ago

mod_accesslog does not escape quotes

Reported by: icy Assigned to: jan
Priority: normal Milestone: 1.4.20
Component: mod_accesslog Version: 1.4.18
Severity: normal Keywords: accesslog
Cc: Blocking:
Need Feedback: 0

Description

mod_accesslog does not escape characters like quotes so it is possible to corrupt or inject stuff into the access.log

POC: curl localhost/foo\"bar && tail -1 /var/log/lighttpd/access.log or: curl localhost -H "Referer: foo\" \"bar" && tail -1 /var/log/lighttpd/access.log

Attachments

Add/Change #1551 (mod_accesslog does not escape quotes)




Change Properties