| Название | Go-Tribe gotribe-admin 1.0 Improper Output Neutralization for Logs |
|---|
| Описание | r.NoRoute(func(c *gin.Context) {
fmt.Printf("%s doesn't exists, redirect on /\n", c.Request.URL.Path)
c.Redirect(http.StatusMovedPermanently, "/")
})
Flaw reason: in the internal/app/routes/routes go file of 53 line, using the FMT. Printf to print log, the log content contains the user to provide the value of (c.R equest. URL. The Path). This means that an attacker can execute arbitrary code in the log by controlling the URL path to inject malicious code or special characters
Or cause other security risks. This is known as a log injection attack.
Vulnerability POC: An attacker can attempt to inject malicious code into the log by including a specific string or snippet of code in the URL path. For example, if an application does not properly handle or escape special characters in a URL path, an attacker could exploit this vulnerability to execute arbitrary code or leak sensitive information. |
|---|
| Источник | ⚠️ https://github.com/Go-Tribe/gotribe-admin/issues/1 |
|---|
| Пользователь | zihe (UID 56943) |
|---|
| Представление | 19.08.2024 14:59 (2 лет назад) |
|---|
| Модерация | 20.08.2024 10:05 (19 hours later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 275198 [Go-Tribe gotribe-admin 1.0 Log routes.go InitRoutes эскалация привилегий] |
|---|
| Баллы | 20 |
|---|