Log forging vulnerability

2015-03-24T09:00:27
ID ATLASSIAN:FE-5587
Type atlassian
Reporter lpater
Modified 2017-08-09T07:35:03

Description

It is possible to fake log entries in FishEye/Crucible logs, by sending specially crafted http requests containing a newline character.

For example going to the url /changelog/asd%0AFake%20log%20entry will cause the following to be logged: {code} 2015-03-24 09:59:09,564 INFO [qtp1610928748-315 ] fisheye ServletUtils-send404 - 404: No such repository: asd Fake log entry referer=null {code}