Bug 562414 (CVE-2003-1581) - CVE-2003-1581 httpd: Injection of arbitrary text into log files when DNS resolution is enabled
Summary: CVE-2003-1581 httpd: Injection of arbitrary text into log files when DNS reso...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2003-1581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-06 15:18 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-29 15:49:02 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-02-06 15:18:51 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2003-1581 to
the following vulnerability:

The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
client IP addresses, allows remote attackers to inject arbitrary text
into log files via an HTTP request in conjunction with a crafted DNS
response, as demonstrated by injecting XSS sequences, related to an
"Inverse Lookup Log Corruption (ILLC)" issue.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1581
  http://www.securityfocus.com/archive/1/313867

Comment 2 Joe Orton 2010-02-06 15:48:35 UTC
The behaviour here is controlled by the HostnameLookups directive:

http://httpd.apache.org/docs/2.2/mod/core.html#hostnamelookups

the default is "off", which means no reverse lookups are done on the IP address of the client, so only IP addresses will be logged by default.

If you want valid hostnames in the logs the docs should be clear that you need to use "HostnameLookups Double" to validate the returned hostname.

Only a tiny number of public servers will enable this directive because it significantly slows down request processing; post-processing of logs is done instead.

I would not consider this a security vulnerability; the behaviour is configurable.

Comment 3 Josh Bressers 2010-06-29 15:49:02 UTC
I'm closing this bug based on Joe's comments.

Thanks.


Note You need to log in before you can comment on or make changes to this bug.