Log forging vulnerability

XMLWordPrintable

      It is possible to fake log entries in FishEye/Crucible logs, by sending specially crafted http requests containing a newline character.

      For example going to the url /changelog/asd%0AFake%20log%20entry will cause the following to be logged:

      2015-03-24 09:59:09,564 INFO  [qtp1610928748-315 ] fisheye ServletUtils-send404 - 404: No such repository: asd
Fake log entry referer=null

            Assignee:
            Grzegorz Lewandowski
            Reporter:
            Lukasz Pater
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: