Bug 562414 (CVE-2003-1581)

Summary: CVE-2003-1581 httpd: Injection of arbitrary text into log files when DNS resolution is enabled
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, jorton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1581
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-29 15:49:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Lieskovsky 2010-02-06 15:18:51 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2003-1581 to
the following vulnerability:

The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
client IP addresses, allows remote attackers to inject arbitrary text
into log files via an HTTP request in conjunction with a crafted DNS
response, as demonstrated by injecting XSS sequences, related to an
"Inverse Lookup Log Corruption (ILLC)" issue.


Comment 2 Joe Orton 2010-02-06 15:48:35 UTC
The behaviour here is controlled by the HostnameLookups directive:


the default is "off", which means no reverse lookups are done on the IP address of the client, so only IP addresses will be logged by default.

If you want valid hostnames in the logs the docs should be clear that you need to use "HostnameLookups Double" to validate the returned hostname.

Only a tiny number of public servers will enable this directive because it significantly slows down request processing; post-processing of logs is done instead.

I would not consider this a security vulnerability; the behaviour is configurable.

Comment 3 Josh Bressers 2010-06-29 15:49:02 UTC
I'm closing this bug based on Joe's comments.