LDAP injection errors occur when:

1. Data enters a program from an untrusted source.

In this case, Fortify Static Code Analyzer could not determine that the source of the data is trusted.

2. The data is used to dynamically construct an LDAP filter.
Example 1: The following code dynamically constructs and executes an LDAP query that retrieves records for all the employees who report to a given manager. The manager's name is read from an HTTP request, and is therefore untrusted.

...
DirectorySearcher src =
           new DirectorySearcher("(manager=" + managerName.Text + ")");
src.SearchRoot = de;
src.SearchScope = SearchScope.Subtree;

foreach(SearchResult res in src.FindAll()) {
  ...
}

Under normal conditions, such as searching for employees who report to the manager John Smith, the filter that this code executes will look like the following:

(manager=Smith, John)

However, because the filter is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if managerName does not contain any LDAP meta characters. If an attacker enters the string Hacker, Wiley)(|(objectclass=*) for managerName, then the query becomes the following:

(manager=Hacker, Wiley)(|(objectclass=*))

Based on the permissions with which the query is executed, the addition of the |(objectclass=*) condition causes the filter to match against all entries in the directory, and allows the attacker to retrieve information about the entire pool of users. Depending on the permissions with which the LDAP query is performed, the breadth of this attack may be limited, but if the attacker may control the command structure of the query, such an attack can at least affect all records that the user the LDAP query is executed as can access.

LDAP injection errors occur when:

1. Data enters a program from an untrusted source.

2. The data is used to dynamically construct an LDAP filter.
Example 1: The following code dynamically constructs and executes an LDAP query that retrieves records for all the employees who report to a given manager. The manager's name is read from a network socket, and is therefore untrusted.

fgets(manager, sizeof(manager), socket);

snprintf(filter, sizeof(filter, "(manager=%s)", manager);

if ( ( rc = ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_BASE,
       filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
       LDAP_NO_LIMIT, &result ) ) == LDAP_SUCCESS ) {
  ...
}

Under normal conditions, such as searching for employees who report to the manager John Smith, the filter that this code executes will look like the following:

(manager=Smith, John)

However, because the filter is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if manager does not contain any LDAP meta characters. If an attacker enters the string Hacker, Wiley)(|(objectclass=*) for manager, then the query becomes the following:

(manager=Hacker, Wiley)(|(objectclass=*))

Based on the permissions with which the query is executed, the addition of the |(objectclass=*) condition causes the filter to match against all entries in the directory, and allows the attacker to retrieve information about the entire pool of users. Depending on the permissions with which the LDAP query is performed, the breadth of this attack may be limited, but if the attacker may control the command structure of the query, such an attack can at least affect all records that the user the LDAP query is executed as can access.

LDAP injection errors occur when:
1. Data enters a program from an untrusted source.

2. The data is used to dynamically construct an LDAP filter.
Example 1: The following code dynamically constructs and executes an LDAP query that retrieves records for all the employees who report to a given manager. The manager's name is read from an HTTP request, and is therefore untrusted.

...
$managerName = $_POST["managerName"]];

//retrieve all of the employees who report to a manager

$filter = "(manager=" . $managerName . ")";

$result = ldap_search($ds, "ou=People,dc=example,dc=com", $filter);
...

Under normal conditions, such as searching for employees who report to the manager John Smith, the filter that this code executes will look like the following:

(manager=Smith, John)

However, because the filter is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if managerName does not contain any LDAP meta characters. If an attacker enters the string Hacker, Wiley)(|(objectclass=*) for managerName, then the query becomes the following:

(manager=Hacker, Wiley)(|(objectclass=*))

Based on the permissions with which the query is executed, the addition of the |(objectclass=*) condition causes the filter to match against all entries in the directory, and allows the attacker to retrieve information about the entire pool of users. Depending on the permissions with which the LDAP query is performed, the breadth of this attack may be limited, but if the attacker may control the command structure of the query, such an attack can at least affect all records that the user the LDAP query is executed as can access.

LDAP manipulation errors occur when:

1. Data enters a program from an untrusted source.

2. The data is used outside the filter string in a dynamic LDAP statement.
Example 1: The following code reads an ou string from a hidden field submitted through an HTTP request and uses it to create a new DirectoryEntry.

...
de = new DirectoryEntry("LDAP://ad.example.com:389/ou="
                        + hiddenOU.Text + ",dc=example,dc=com");
...

Because the connection string includes user input and is performed under an anonymous bind, an attacker could alter the results of the query by specifying an unexpected ou value. The problem is that the developer failed to leverage the appropriate access control mechanisms necessary to restrict subsequent queries to access only employee records that the current user is permitted to read.

LDAP manipulation errors occur when:

1. Data enters a program from an untrusted source.

2. The data is used outside the filter string in a dynamic LDAP statement.
Example 1: The following code reads a dn string from a socket and uses it to perform an LDAP query.

...
rc = ldap_simple_bind_s( ld, NULL, NULL );
  if ( rc != LDAP_SUCCESS ) {
    ...
  }
...

fgets(dn, sizeof(dn), socket);

if ( ( rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_BASE,
                               filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
                               LDAP_NO_LIMIT, &result ) ) != LDAP_SUCCESS ) {
...

Because base DN originates from user input and the query is performed under an anonymous bind, an attacker could alter the results of the query by specifying an unexpected dn string. The problem is that the developer failed to leverage the appropriate access control mechanisms necessary to restrict subsequent queries to access only employee records that the current user is permitted to read.

LDAP manipulation errors occur when:

1. Data enters a program from an untrusted source.

2. The data is used outside the filter string in a dynamic LDAP statement.
Example 1: The following code reads a dn string from the user and uses it to perform an LDAP query.

$dn = $_POST['dn'];

if (ldap_bind($ds)) {
...

try {
  $rs = ldap_search($ds, $dn, "ou=People,dc=example,dc=com", $attr);
...

Because base dn originates from user input and the query is performed under an anonymous bind, an attacker could alter the results of the query by specifying an unexpected dn string. The problem is that the developer failed to leverage the appropriate access control mechanisms necessary to restrict subsequent queries to access only employee records that the current user is permitted to read.

Unless the contents of the page are completely under your control, the user will be able to click on links that could be used by malicious attackers to initiate automatic telephone or FaceTime calls.

As an example, your application may be showing a blog post, or tweet, that may contain links. The author of the post or tweet your user is visiting will be able to use any arbitrary links on their pages. If your users visit a malicious site and are fooled, or automatically driven to click a link, an attacker may be able to initiate automatic FaceTime or telephone calls and block the device for a few seconds to prevent the user from cancelling the call. Note that even if you control the landing page, the user may end up navigating to different and untrusted sites.

Example 1: The following snippet of code uses a webview to load a site that may contain untrusted links but it does not specify a delegate capable of validating the requests initiated in this webview:

    ...
    let webUrl : NSURL = NSURL(string: "https://some.site.com/")!
    let webRequest : NSURLRequest = NSURLRequest(URL: webUrl)
    webView.loadRequest(webRequest)
    ...

Unless the contents of the page are completely under your control, the user will be able to click on links that may be used by malicious attackers to initiate undesired actions.

As an example, your application may be showing a blog post, or tweet, that may contain links. The author of the post or tweet your user is visiting will be able to use any arbitrary links on their pages. If your users visit a malicious site and are fooled or automatically driven to click a link, an attacker may be able to initiate some potentially dangerous actions such as using special URL schemes to initiate FaceTime or telephone calls, send data or initiate actions in third party applications, etc. Note that even if you control the landing page, the user may end up navigating to different and untrusted sites.

Example 1: The following snippet of code uses a webview to load a site that may contain untrusted links but it does not specify a delegate capable of validating the requests initiated in this webview:

    ...
    let webUrl = URL(string: "https://some.site.com/")!
    let urlRequest = URLRequest(url: webUrl)
    webView.load(webRequest)
    ...

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read a value from a request object. The value then is logged.

...
DATA log_msg TYPE bal_s_msg.

val = request->get_form_field( 'val' ).

log_msg-msgid = 'XY'.
log_msg-msgty = 'E'.
log_msg-msgno = '123'.
log_msg-msgv1 = 'VAL: '.
log_msg-msgv2 = val.

CALL FUNCTION 'BAL_LOG_MSG_ADD'
  EXPORTING
    I_S_MSG          = log_msg
  EXCEPTIONS
    LOG_NOT_FOUND    = 1
    MSG_INCONSISTENT = 2
    LOG_IS_FULL      = 3
    OTHERS           = 4.
...

If a user submits the string "FOO" for val, the following entry is logged:

XY E 123 VAL: FOO

However, if an attacker submits the string "FOO XY E 124 VAL: BAR", the following entry is logged:

XY E 123 VAL: FOO XY E 124 VAL: BAR

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var val:String = String(params["username"]);
var value:Number = parseInt(val);
if (value == Number.NaN) {
  trace("Failed to parse val = " + val);
}

If a user submits the string "twenty-one" for val, the following entry is logged:

Failed to parse val=twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

Failed to parse val=twenty-one

User logged out=badguy

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1.Data enters an application from an untrusted source.

2.The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

...
string val = (string)Session["val"];
try {
int value = Int32.Parse(val);
}
catch (FormatException fe) {
log.Info("Failed to parse val= " + val);
}
...

If a user submits the string "twenty-one" for val, the following entry is logged:

INFO: Failed to parse val=twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

INFO: Failed to parse val=twenty-one

INFO: User logged out=badguy

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending upon the nature of the application, log files can be reviewed manually as required, or culled automatically by tools that search the logs for important data points or trends.

Examination of the log files can be hindered or conclusions based on log data can be wrong if an attacker is allowed to supply data to the application that is subsequently logged verbatim. An attacker might insert false entries into the log file by including log entry separator characters in their data. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker injects code or other commands into the log file and takes advantage of a vulnerability in the log processing utility [2].

Example 1: The following code from a CGI script accepts a string submitted by the user and attempts to convert it into the long integer value it represents. If the value fails to parse as an integer, then its value is logged with an error message indicating what happened.

long value = strtol(val, &endPtr, 10);
if (*endPtr != '\0')
	syslog(LOG_INFO,"Illegal value = %s",val);
...

If a user submits the string "twenty-one" for val, the following entry is logged:

Illegal value=twenty-one

However, if an attacker submits the string "twenty-one\n\nINFO: User logged out=evil", the following entry is logged:

	INFO: Illegal value=twenty-one

	INFO: User logged out=evil

Clearly, the attacker may use this same mechanism to insert arbitrary log entries. For this type of log forging attack to be effective, an attacker must first identify valid log entry formats, but this can often be accomplished by through system information leaks in the target application.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker might insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker might render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read a value from an HTML form. The value then is logged.

...
01  LOGAREA.
     05  VALHEADER        PIC X(50) VALUE 'VAL: '.
     05  VAL              PIC X(50).
...

EXEC CICS
  WEB READ
  FORMFIELD(NAME)
  VALUE(VAL)
  ...
END-EXEC.

EXEC DLI
  LOG
  FROM(LOGAREA)
  LENGTH(50)
END-EXEC.
...

If a user submits the string "FOO" for VAL, the following entry is logged:

VAL: FOO

However, if an attacker submits the string "FOO VAL: BAR", the following entry is logged:

VAL: FOO VAL: BAR

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.


2. The data is written to an application or system log file.


Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a web form. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

<cflog file="app_log" application="No" Thread="No" 
       text="Failed to parse val="#Form.val#">

If a user submits the string "twenty-one" for val, the following entry is logged:

"Information",,"02/28/01","14:50:37",,"Failed to parse val=twenty-one"

However, if an attacker submits the string "twenty-one%0a%0a%22Information%22%2C%2C%2202/28/01%22%2C%2214:53:40%22%2C%2C%22User%20logged%20out:%20badguy%22", the following entry is logged:

"Information",,"02/28/01","14:50:37",,"Failed to parse val=twenty-one"

"Information",,"02/28/01","14:53:40",,"User logged out: badguy"

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events, view transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

    func someHandler(w http.ResponseWriter, r *http.Request){
        r.parseForm()
        name := r.FormValue("name")
        logout := r.FormValue("logout")
        ...
        if (logout){
            ...
        } else {
            log.Printf("Attempt to log out: name: %s logout: %s", name, logout)
        }
    }

If a user submits the string "twenty-one" for logout and he was able to create a user with name "admin", the following entry is logged:

Attempt to log out: name: admin logout: twenty-one

However, if an attacker is able to create a username "admin+logout:+1+++++++++++++++++++++++", the following entry is logged:

Attempt to log out: name: admin logout: 1                       logout: twenty-one

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

var cp = require('child_process');
var http = require('http');
var url = require('url');

function listener(request, response){
  var val = url.parse(request.url, true)['query']['val'];
  if (isNaN(val)){
    console.log("INFO: Failed to parse val = " + val);
  }
  ...
}
...
http.createServer(listener).listen(8080);
...

If a user submits the string "twenty-one" for val, the following entry is logged:

INFO: Failed to parse val = twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

INFO: Failed to parse val=twenty-one

INFO: User logged out=badguy

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending upon the nature of the application, log files can be reviewed manually as required, or culled automatically by tools that search the logs for important data points or trends.

Examination of the log files can be hindered or conclusions based on log data can be wrong if an attacker is allowed to supply data to the application that is subsequently logged verbatim. An attacker might insert false entries into the log file by including log entry separator characters in their data. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker injects code or other commands into the log file and takes advantage of a vulnerability in the log processing utility [2].

Example 1: The following code from a CGI script accepts a string submitted by the user and attempts to convert it into the long integer value it represents. If the value fails to parse as an integer, then its value is logged with an error message indicating what happened.

long value = strtol(val, &endPtr, 10);
if (*endPtr != '\0')
	NSLog("Illegal value = %s",val);
...

If a user submits the string "twenty-one" for val, the following entry is logged:

    INFO: Illegal value=twenty-one

However, if an attacker submits the string "twenty-one\n\nINFO: User logged out=evil", the following entry is logged:

	INFO: Illegal value=twenty-one

	INFO: User logged out=evil

Clearly, the attacker may use this same mechanism to insert arbitrary log entries. For this type of log forging attack to be effective, an attacker must first identify valid log entry formats, but this can often be accomplished through system information leaks in the target application.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

<?php
    $name   =$_GET['name'];
    ...
    $logout =$_GET['logout'];

    if(is_numeric($logout))
    {
        ...
    }
    else
    {
        trigger_error("Attempt to log out: name: $name logout: $val");
    }
?>

If a user submits the string "twenty-one" for logout and he was able to create a user with name "admin", the following entry is logged:

PHP Notice: Attempt to log out: name: admin logout: twenty-one

However, if an attacker is able to create a username "admin+logout:+1+++++++++++++++++++++++", the following entry is logged:

PHP Notice: Attempt to log out: name: admin logout: 1                       logout: twenty-one

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

    name = req.field('name')
    ...
    logout = req.field('logout')

    if (logout):
        ...
    else:
        logger.error("Attempt to log out: name: %s logout: %s" % (name,logout))

If a user submits the string "twenty-one" for logout and he was able to create a user with name "admin", the following entry is logged:

Attempt to log out: name: admin logout: twenty-one

However, if an attacker is able to create a username "admin+logout:+1+++++++++++++++++++++++", the following entry is logged:

Attempt to log out: name: admin logout: 1                       logout: twenty-one

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

...
val = req['val']
unless val.respond_to?(:to_int)
  logger.info("Failed to parse val")
  logger.info(val)
end
...

If a user submits the string "twenty-one" for val, the following entry is logged:

INFO: Failed to parse val
INFO: twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

INFO: Failed to parse val
INFO: twenty-one

INFO: User logged out=badguy

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending upon the nature of the application, log files can be reviewed manually as required, or culled automatically by tools that search the logs for important data points or trends.

Examination of the log files can be hindered or conclusions based on log data can be wrong if an attacker is allowed to supply data to the application that is subsequently logged verbatim. An attacker might insert false entries into the log file by including log entry separator characters in their data. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker injects code or other commands into the log file and takes advantage of a vulnerability in the log processing utility [2].

Example 1: The following code accepts a string submitted by the user and attempts to convert it into the integer value it represents. If the value fails to parse as an integer, then its value is logged with an error message indicating what happened.

...
let num = Int(param)
if num == nil {
    NSLog("Illegal value = %@", param)
}
...

If a user submits the string "twenty-one" for val, the following entry is logged:

    INFO: Illegal value = twenty-one

However, if an attacker submits the string "twenty-one\n\nINFO: User logged out=evil", the following entry is logged:

	INFO: Illegal value=twenty-one

	INFO: User logged out=evil

Clearly, the attacker may use this same mechanism to insert arbitrary log entries. For this type of log forging attack to be effective, an attacker must first identify valid log entry formats, but this can often be accomplished through system information leaks in the target application.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

...
Dim Val As Variant
Dim Value As Integer
Set Val = Request.Form("val")
If IsNumeric(Val) Then
	Set Value = Val
Else
	App.EventLog "Failed to parse val=" & Val, 1
End If
...

If a user submits the string "twenty-one" for val, the following entry is logged:

Failed to parse val=twenty-one

However, if an attacker submits the string "twenty-one%0a%0a+User+logged+out%3dbadguy", the following entry is logged:

Failed to parse val=twenty-one

User logged out=badguy

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.



2. The data is written to an application or system log file.



Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker might inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following REST endpoint attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

@HttpGet
global static void doGet() {
    RestRequest req = RestContext.request;
    String val = req.params.get('val');
    try {
        Integer i = Integer.valueOf(val);
        ...
    } catch (TypeException e) {
        System.Debug(LoggingLevel.INFO, 'Failed to parse val: '+val);
    }
}

If a user submits the string "twenty-one" for val, the following entry is logged:

Failed to parse val: twenty-one

However, if an attacker submits the string "twenty-one%0a%0aUser+logged+out%3dbadguy", the following entry is logged:

Failed to parse val: twenty-one

User logged out=badguy

Clearly, attackers might use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

  ...
          String val = request.Params["val"];
          try {
                  int value = Int.Parse(val);
          }
          catch (FormatException fe) {
                  log.Info("Failed to parse val = " + val);
          }
  ...
  

If a user submits the string "twenty-one" for val, the following entry is logged:

  INFO: Failed to parse val=twenty-one
  

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

  INFO: Failed to parse val=twenty-one

  INFO: User logged out=badguy
  

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Some think that in the mobile world, classic web application vulnerabilities, such as log forging, do not make sense -- why would the user attack themself? However, keep in mind that the essence of mobile platforms is applications that are downloaded from various sources and run alongside each other on the same device. The likelihood of running a piece of malware next to a banking application is high, which necessitates expanding the attack surface of mobile applications to include inter-process communication.

Example 2: The following code adapts Example 1 to the Android platform.

  ...
          String val = this.Intent.Extras.GetString("val");
          try {
                  int value = Int.Parse(val);
          }
          catch (FormatException fe) {
                  Log.E(TAG, "Failed to parse val = " + val);
          }
  ...
  

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files might be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files might be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker can insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, an attacher can use corrupted log files to cover their tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker might inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message to indicate what happened.

...
    var idValue string

    idValue = req.URL.Query().Get("id")
    num, err := strconv.Atoi(idValue)

    if err != nil {
        sysLog.Debug("Failed to parse value: " + idValue)
    }
...

If a user submits the string "twenty-one" for val, the following entry is logged:

INFO: Failed to parse val=twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

INFO: Failed to parse val=twenty-one

INFO: User logged out=badguy

Clearly, attackers can use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

var cp = require('child_process');
var http = require('http');
var url = require('url');

function listener(request, response){
  var val = url.parse(request.url, true)['query']['val'];
  if (isNaN(val)){
    console.error("INFO: Failed to parse val = " + val);
  }
  ...
}
...
http.createServer(listener).listen(8080);
...

If a user submits the string "twenty-one" for val, the following entry is logged:

INFO: Failed to parse val=twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

INFO: Failed to parse val=twenty-one

INFO: User logged out=badguy

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

...
val = request.GET["val"]
try:
  int_value = int(val)
except:
  logger.debug("Failed to parse val = " + val)
...

If a user submits the string "twenty-one" for val, the following entry is logged:

INFO: Failed to parse val=twenty-one

However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged:

INFO: Failed to parse val=twenty-one

INFO: User logged out=badguy

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

Log forging vulnerabilities occur when:

1. Data enters an application from an untrusted source.

2. The data is written to an application or system log file.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. If the log file is processed automatically, the attacker may be able to render the file unusable by corrupting the format of the file or injecting unexpected characters. A more subtle attack might involve skewing the log file statistics. Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act [1]. In the worst case, an attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility [2].

Example 1: The following web application code attempts to read an integer value from a request object. If the value fails to parse as an integer, then the input is logged with an error message indicating what happened.

...
val = req['val']
unless val.respond_to?(:to_int)
  logger.debug("Failed to parse val")
  logger.debug(val)
end
...

If a user submits the string "twenty-one" for val, the following entry is logged:

DEBUG: Failed to parse val
DEBUG: twenty-one

However, if an attacker submits the string "twenty-one%0a%DEBUG:+User+logged+out%3dbadguy", the following entry is logged:

DEBUG: Failed to parse val
DEBUG: twenty-one

DEBUG: User logged out=badguy

Clearly, attackers may use this same mechanism to insert arbitrary log entries.

These types of vulnerabilities can occur when: SMTP command injection vulnerabilities occur when an attacker can influence the commands sent to an SMTP mail server.

1. Data enters the application from an untrusted source.

2. The data is used as or is part of a string representing a command that is executed by the application.

3. By executing the SMTP command, the attacker can instruct the server to carry out malicious actions such as sending spam.

Example 1: The following code uses an HTTP request parameter to craft a VRFY command that is sent to the SMTP server. An attacker might use this parameter to modify the command sent to the server and inject new commands using CRLF characters.

  ...
    c, err := smtp.Dial(x)
	if err != nil {
		log.Fatal(err)
	}
	user := request.FormValue("USER")
	c.Verify(user)
  ...
  

SMTP command injection vulnerabilities occur when an attacker may influence the commands sent to an SMTP mail server.

1. Data enters the application from an untrusted source.

2. The data is used as or as part of a string representing a command that is executed by the application.

3. By executing the SMTP command, the attacker is able to instruct the server to carry out malicious actions such as sending spam.

Example 1: The following code uses an HTTP request parameter to craft a VRFY command that is sent to the SMTP server. An attacker may use this parameter to modify the command sent to the server and inject new commands using CRLF characters.

...
user = request.GET['user']
session = smtplib.SMTP(smtp_server, smtp_tls_port)
session.ehlo()
session.starttls()
session.login(username, password)
session.docmd("VRFY", user)
...

To ease development and increase productivity, most modern frameworks allow an object to be automatically instantiated and populated with the HTTP request parameters whose names match an attribute of the class to be bound. Automatic instantiation and population of objects speeds up development, but can lead to serious problems if implemented without caution. Any attribute in the bound classes, or nested classes, will be automatically bound to the HTTP request parameters. Therefore, malicious users will be able to assign a value to any attribute in bound or nested classes, even if they are not exposed to the client through web forms or API contracts.

Example 1: With no additional configuration, the following ASP.NET MVC controller method will bind the HTTP request parameters to any attribute in the RegisterModel or Details classes:

public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        try
        {
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", "");
        }
    }
    return View(model);
}

Where RegisterModel class is defined as:

public class RegisterModel
{
    [BindRequired]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [BindRequired]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    public string ConfirmPassword { get; set; }

    public Details Details { get; set; }

    public RegisterModel()
    {
        Details = new Details();
    }
}

and Details class is defined as:

public class Details
{
    public bool IsAdmin { get; set; }
    ...
}

Example 2: When using TryUpdateModel() or UpdateModel() in ASP.NET MVC or Web API applications, the model binder will automatically try to bind all HTTP request parameters by default:

public ViewResult Register()
{
    var model = new RegisterModel();
    TryUpdateModel<RegisterModel>(model);
    return View("detail", model);
}

Example 3: In ASP.NET Web Form applications, the model binder will automatically try to bind all HTTP request parameters when using TryUpdateModel() or UpdateModel() with IValueProvider interface.

Employee emp = new Employee();
TryUpdateModel(emp, new System.Web.ModelBinding.FormValueProvider(ModelBindingExecutionContext)); 
if (ModelState.IsValid)
{
    db.SaveChanges();
}

and Employee class is defined as:

 public class Employee
    {
        public Employee()
        {
            IsAdmin = false;
            IsManager = false;
        }
        public string Name { get; set; }
        public string Email { get; set; }
        public bool IsManager { get; set; }
        public bool IsAdmin { get; set; }
    }