Common Vulnerabilities and Exposures assigned an identifier CVE-2003-1581 to
the following vulnerability:
The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
client IP addresses, allows remote attackers to inject arbitrary text
into log files via an HTTP request in conjunction with a crafted DNS
response, as demonstrated by injecting XSS sequences, related to an
"Inverse Lookup Log Corruption (ILLC)" issue.
The behaviour here is controlled by the HostnameLookups directive:
the default is "off", which means no reverse lookups are done on the IP address of the client, so only IP addresses will be logged by default.
If you want valid hostnames in the logs the docs should be clear that you need to use "HostnameLookups Double" to validate the returned hostname.
Only a tiny number of public servers will enable this directive because it significantly slows down request processing; post-processing of logs is done instead.
I would not consider this a security vulnerability; the behaviour is configurable.
I'm closing this bug based on Joe's comments.