Bug 562414 (CVE-2003-1581)
Summary: | CVE-2003-1581 httpd: Injection of arbitrary text into log files when DNS resolution is enabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, jorton |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1581 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-29 15:49:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2010-02-06 15:18:51 UTC
The behaviour here is controlled by the HostnameLookups directive: http://httpd.apache.org/docs/2.2/mod/core.html#hostnamelookups the default is "off", which means no reverse lookups are done on the IP address of the client, so only IP addresses will be logged by default. If you want valid hostnames in the logs the docs should be clear that you need to use "HostnameLookups Double" to validate the returned hostname. Only a tiny number of public servers will enable this directive because it significantly slows down request processing; post-processing of logs is done instead. I would not consider this a security vulnerability; the behaviour is configurable. I'm closing this bug based on Joe's comments. Thanks. |