...
| Code Block | ||
|---|---|---|
| ||
if (loginSuccessful) {
logger.severe("User login succeeded for: " + username);
} else {
logger.severe("User login failed for: " + username);
}
|
With no sanitization, the log injection described above is possible.
...
| Code Block | ||
|---|---|---|
| ||
if (!Pattern.matches("[A-Za-z0-z9_]+", username)) {
// Unsanitized user name
logger.severe("User login failed for unauthorized user");
} else if (loginSuccessful) {
logger.severe("User login succeeded for: " + username);
} else {
logger.severe("User login failed for: " + username);
}
|
Risk Assessment
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="77b626ef93158981-0f293852-4ce145b3-bd9b982f-92eab29af78bec8b7ac6a00f"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 144 | http://cwe.mitre.org/data/definitions/144.html] "Improper Neutralization of Line Delimiters" | ]]></ac:plain-text-body></ac:structured-macro> |
| CWE ID 150 "Improper Neutralization of Escape, Meta, or Control Sequences" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cb0d39018cfb5073-29411408-475b45bd-9cd1bc6e-ad657ac35862e28d36791822"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> |
...