| عنوان | Go-Tribe gotribe-admin 1.0 Improper Output Neutralization for Logs |
|---|
| الوصف | r.NoRoute(func(c *gin.Context) {
fmt.Printf("%s doesn't exists, redirect on /\n", c.Request.URL.Path)
c.Redirect(http.StatusMovedPermanently, "/")
})
Flaw reason: in the internal/app/routes/routes go file of 53 line, using the FMT. Printf to print log, the log content contains the user to provide the value of (c.R equest. URL. The Path). This means that an attacker can execute arbitrary code in the log by controlling the URL path to inject malicious code or special characters
Or cause other security risks. This is known as a log injection attack.
Vulnerability POC: An attacker can attempt to inject malicious code into the log by including a specific string or snippet of code in the URL path. For example, if an application does not properly handle or escape special characters in a URL path, an attacker could exploit this vulnerability to execute arbitrary code or leak sensitive information. |
|---|
| المصدر | ⚠️ https://github.com/Go-Tribe/gotribe-admin/issues/1 |
|---|
| المستخدم | zihe (UID 56943) |
|---|
| ارسال | 19/08/2024 02:59 PM (2 سنوات منذ) |
|---|
| الاعتدال | 20/08/2024 10:05 AM (19 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 275198 [Go-Tribe gotribe-admin 1.0 Log routes.go InitRoutes تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|