Technical information leak - Logs
Need
Protection of sensitive technical information from unauthorized access
Context
- Usage of Java for building cross-platform applications
- Usage of javax.servlet for building Java web applications with Servlet technology
- Usage of java.io for input and output operations in Java
Description
Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class LogServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String title = "System Log";
String docType = "<!doctype html public \\"-//w3c//dtd html 4.0 " + "transitional//en\\">\\n";
out.println(docType +
"<html>\\n" +
"<head><title>" + title + "</title></head>\\n" +
"<body>\\n" +
"<h1>" + title + "</h1>\\n");
File logFile = new File("/var/log/system.log");
BufferedReader br = new BufferedReader(new FileReader(logFile));
String st;
while ((st = br.readLine()) != null) {
out.println("<p>" + st + "</p>\\n");
}
out.println("</body></html>");
}
}
The above code represents a Servlet which handles GET requests and responds with an HTML page. This page contains the content of the system log file located at "/var/log/system.log".
The vulnerability lies in the fact that this Servlet is openly accessible and does not require any form of authentication or authorization. This means that any user, authenticated or not, can send a GET request to the URL mapped to this Servlet and view the system log information.
This is a major security issue as it leaks sensitive technical information about the system, which can be exploited by malicious users to gain further understanding of the system's structure, behavior, and potential weaknesses.
Furthermore, the log information is directly embedded into the HTML response without any form of sanitization or encoding, which could potentially lead to other security issues such as Cross-Site Scripting (XSS) if the log information contains any malicious user input.
Steps
- Restrict access to the LogServlet page to authorized users only.
- Implement authentication and authorization mechanisms to ensure that only authenticated and authorized users can access the system log.
- Store the system log file in a secure location that is not accessible to users.
- Avoid displaying sensitive information in the system log, or sanitize the log entries to remove any sensitive data before displaying it.
- Implement proper logging practices, such as logging only necessary information and avoiding logging sensitive data.
- Regularly review and monitor the system log for any potential security issues or unauthorized access attempts.
Compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.security.Principal;
public class LogServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Principal principal = request.getUserPrincipal();
if (principal == null) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String title = "System Log";
String docType = "<!doctype html public \\"-//w3c//dtd html 4.0 " + "transitional//en\\">\\n";
out.println(docType +
"<html>\\n" +
"<head><title>" + title + "</title></head>\\n" +
"<body>\\n" +
"<h1>" + title + "</h1>\\n");
File logFile = new File("/var/log/system.log");
BufferedReader br = new BufferedReader(new FileReader(logFile));
String st;
while ((st = br.readLine()) != null) {
out.println("<p>" + st + "</p>\\n");
}
out.println("</body></html>");
}
}
The updated code now includes an authentication check at the beginning of the doGet method. This is done by calling request.getUserPrincipal(). If the returned Principal object is null, it means that the user is not authenticated, and an HTTP 401 Unauthorized error is sent back to the client.
This ensures that only authenticated users can access the system log. However, this is just a basic form of authentication. In a real-world application, you would also need to implement authorization to ensure that the authenticated user has the necessary permissions to view the system log.
The system log file is still stored in the same location (/var/log/system.log). In a real-world application, you should store this file in a secure location that is not accessible to users.
The code still displays the system log as it is, without sanitizing the log entries or removing any sensitive data. In a real-world application, you should sanitize the log entries and avoid logging sensitive data.
Finally, the code does not include any logging practices or monitoring of the system log. In a real-world application, you should implement proper logging practices and regularly review and monitor the system log for any potential security issues or unauthorized access attempts.