Title | Go-Tribe gotribe-admin 1.0 Improper Output Neutralization for Logs |
---|
Description | r.NoRoute(func(c *gin.Context) {
fmt.Printf("%s doesn't exists, redirect on /\n", c.Request.URL.Path)
c.Redirect(http.StatusMovedPermanently, "/")
})
Flaw reason: in the internal/app/routes/routes go file of 53 line, using the FMT. Printf to print log, the log content contains the user to provide the value of (c.R equest. URL. The Path). This means that an attacker can execute arbitrary code in the log by controlling the URL path to inject malicious code or special characters
Or cause other security risks. This is known as a log injection attack.
Vulnerability POC: An attacker can attempt to inject malicious code into the log by including a specific string or snippet of code in the URL path. For example, if an application does not properly handle or escape special characters in a URL path, an attacker could exploit this vulnerability to execute arbitrary code or leak sensitive information. |
---|
Source | ⚠️ https://github.com/Go-Tribe/gotribe-admin/issues/1 |
---|
User | zihe (UID 56943) |
---|
Submission | 08/19/2024 02:59 PM (3 months ago) |
---|
Moderation | 08/20/2024 10:05 AM (19 hours later) |
---|
Status | Accepted |
---|
VulDB Entry | 275198 |
---|
Points | 20 |
---|