Skip to content

Log Forging in DispatcherServlet via requestURI [SPR-11591] #16215

New issue
New issue
Closed
Closed
Log Forging in DispatcherServlet via requestURI [SPR-11591]#16215
Assignees
jhoeller
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
4.0.3
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Mar 24, 2014

Darius Bohni opened SPR-11591 and commented

There is an security issue on line 843/844. An attacker can manipulate the log via malicious request.

The method doService extracts the URI from the request and uses it unvalidated.

Source:

logger.debug("DispatcherServlet with name '" + getServletName() + "'" + resumed +
		" processing " + request.getMethod() + " request for [" + requestUri + "]");

An attacker can forge the log by sending a request containing %0D%0A

Like: /app/home%0D%0AFAKE

The log will looks like:

08:34:50.145 [http-bio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcher' processing GET request for [/app/home
FAKE]

Affects: 3.2.8, 4.0.2

Referenced from: commits a2bdc28, 465ca24

Backported to: 3.2.9

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions