[Esapi-user] ESAPI Logging bad data

August Detlefsen augustd at codemagi.com
Thu May 30 23:46:39 UTC 2013


If an attacker is able to insert a newline into your log file, then yes,
that is pretty much the definition of log forging...


On Thu, May 30, 2013 at 3:27 PM, Tony M <dev at cfreak.net> wrote:

> Hello,
>
> I am using ESAPI in one of my application. It seems that ESAPI is logging
> bad data:
>
> WARNING: [SECURITY FAILURE] Invalid input: context=validate_filename,
> type(FileName)=^[[email protected]#$%^&{}\[\]()_+\-=,.~'` ]{1,255}$, input=
>
> INFO: I AM FORGING YOUR LOG
>
> in the log file. Isn't that subject to log forging? I know that showing
> the data in the log has benefit. Any advice in solving this issue?
>
> Thanks,
>
> Tony
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130530/ed6aa1a2/attachment.html>


More information about the Esapi-user mailing list