Log Injection

Last revision (mm/dd/yy): //

Description
First to understand Log injection, lets first know what a log file is.

Log file - It is basically a file, probably residing on some server, database (depending on what kind of logs it notes down) or any other essential networking components, that keeps an accurate record of all the transactions and events taking place interminably from the start until the service has decided to terminate.

All major and vital decisions in relation to the web application are taken place by analyzing these logs.

So this points out 2 important things: So how does log poisoning work?
 * How important logs are to every single organization existing over the web!
 * Log files exist in the backend of practically anywhere you navigate on the web.

First a PHP code is injected in the log file, and it can be achieved by doing something like:

As it is an HTTP GET request, it will end up in the log file. This stage it is called log file poisoning. Although the above request will most likely display an error, by re-reading the web server's log file, the code will be executed.

Code Execution

Now the web server log file is poisoned with the previously injected PHP code, but loading the web server's log file the following will happen:

So the most important factor we can note here is, log files are not executable! But if the server side programming language is the same as the code injected(which is the obvious case) the server while loading the log file: Also the most important thing to note down is the way it works:
 * 1) (PHP) reads the log file.
 * 2) (PHP) detects the (PHP) code in the log file.
 * 3) (PHP) will parse the (PHP) code and parse its output to the user's browser, displaying the (PHP) info.
 * (Log_injection(Code_Execution(parsing)))
 * 1) Read access to log files is enough to execute code after they're poisoned (this requires LFI)

Now let's understand when can all this work?

Let's consider we have found a LFI(Local File Inclusion) vulnerability http://vulnerable_host/preview.php?file=example.html If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server (Also while at it lets assume for a moment that the PHP open_basedir* is not configured).

Now this would load the preview.php file which is located in the same directory as where the web pages served.

The POC(Proof of Concept) would be: To load a log_file file(in our case). http://vulnerable_host/preview.php?file=../../../../etc/access_log In this scenario, let's assume that the log file is loaded and displayed in the user's browser. In this case it's already bad enough because you can basically load any file that the www-user has read access to. And something like this would be displayed: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash margo:x:501:501::/home/margo:/bin/bash ... So this answers when a PHP code can be injected to the log file.

So the above equation can be revised as:

LFI(Log_injection(Code_Execution(parsing)))

How can Log Injection be prevented?

 * We need to include input validation both at server and client’s end. The suspected characters can be sanitized and replaced.
 * The application used to render logs has to be thoroughly scrutinized for vulnerabilities.


 * Instead of directly passing messages via parameters, log codes could be passed. However it is still exploitable.
 * Don’t use API Calls to log actions, as there API’s will be visible in browser network calls.
 * In case of a need, pass user ids or publicly non identifiable values as parameters in logging endpoints.
 * Use proper error codes and identifiable error messages.