Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 3.9.2, 3.10.0
Affects Version/s: 2.10.0, 3.0.0, 3.7.0
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

It is possible to fake log entries in FishEye/Crucible logs, by sending specially crafted http requests containing a newline character.

For example going to the url /changelog/asd%0AFake%20log%20entry will cause the following to be logged:

2015-03-24 09:59:09,564 INFO  [qtp1610928748-315 ] fisheye ServletUtils-send404 - 404: No such repository: asd
Fake log entry referer=null

is cloned from

FE-5587 Log forging vulnerability

Closed

Assignee:: Grzegorz Lewandowski

Reporter:: Lukasz Pater

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 01/Dec/2015 10:36 AM

Updated:: 09/Aug/2017 7:35 AM

Resolved:: 01/Dec/2015 10:37 AM