Red Hat Bugzilla – Bug 562414
CVE-2003-1581 httpd: Injection of arbitrary text into log files when DNS resolution is enabled
Last modified: 2010-06-29 11:49:02 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2003-1581 to the following vulnerability: The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1581 http://www.securityfocus.com/archive/1/313867
The behaviour here is controlled by the HostnameLookups directive: http://httpd.apache.org/docs/2.2/mod/core.html#hostnamelookups the default is "off", which means no reverse lookups are done on the IP address of the client, so only IP addresses will be logged by default. If you want valid hostnames in the logs the docs should be clear that you need to use "HostnameLookups Double" to validate the returned hostname. Only a tiny number of public servers will enable this directive because it significantly slows down request processing; post-processing of logs is done instead. I would not consider this a security vulnerability; the behaviour is configurable.
I'm closing this bug based on Joe's comments. Thanks.