Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 3.9.2, 3.10.0
Affects Version/s: 2.10.0, 3.0.0, 3.7.0
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

It is possible to fake log entries in FishEye/Crucible logs, by sending specially crafted http requests containing a newline character.

For example going to the url /changelog/asd%0AFake%20log%20entry will cause the following to be logged:

2015-03-24 09:59:09,564 INFO  [qtp1610928748-315 ] fisheye ServletUtils-send404 - 404: No such repository: asd
Fake log entry referer=null

Attachments

Issue Links

was cloned as

CRUC-7515 Log forging vulnerability

Closed

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Grzegorz Lewandowski

Reporter:: Lukasz Pater

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 24/Mar/2015 9:00 AM

Updated:: 09/Aug/2017 7:35 AM

Resolved:: 09/Oct/2015 7:53 AM