| タイトル | Go-Tribe gotribe-admin 1.0 Improper Output Neutralization for Logs |
|---|
| 説明 | r.NoRoute(func(c *gin.Context) {
fmt.Printf("%s doesn't exists, redirect on /\n", c.Request.URL.Path)
c.Redirect(http.StatusMovedPermanently, "/")
})
Flaw reason: in the internal/app/routes/routes go file of 53 line, using the FMT. Printf to print log, the log content contains the user to provide the value of (c.R equest. URL. The Path). This means that an attacker can execute arbitrary code in the log by controlling the URL path to inject malicious code or special characters
Or cause other security risks. This is known as a log injection attack.
Vulnerability POC: An attacker can attempt to inject malicious code into the log by including a specific string or snippet of code in the URL path. For example, if an application does not properly handle or escape special characters in a URL path, an attacker could exploit this vulnerability to execute arbitrary code or leak sensitive information. |
|---|
| ソース | ⚠️ https://github.com/Go-Tribe/gotribe-admin/issues/1 |
|---|
| ユーザー | zihe (UID 56943) |
|---|
| 送信 | 2024年08月19日 14:59 (2 年 ago) |
|---|
| モデレーション | 2024年08月20日 10:05 (19 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 275198 [Go-Tribe gotribe-admin 1.0 Log routes.go InitRoutes 特権昇格] |
|---|
| ポイント | 20 |
|---|