...
| Code Block | ||
|---|---|---|
| ||
if (loginSuccessful) {
logger.severe("User login succeeded for: " + username);
} else {
logger.severe("User login failed for: " + username);
}
|
With no sanitization, the log injection described above is possible.
...
| Code Block | ||
|---|---|---|
| ||
if (!Pattern.matches("[A-Za-z0-z9_]+", username)) {
// Unsanitized user name
logger.severe("User login failed for unauthorized user");
} else if (loginSuccessful) {
logger.severe("User login succeeded for: " + username);
} else {
logger.severe("User login failed for: " + username);
}
|
Risk Assessment
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f37fe9290a8841a0-f4c61c20-438347c6-b1938438-7cad45e4e1702da90e89abd2"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 144 | http://cwe.mitre.org/data/definitions/144.html] "Improper Neutralization of Line Delimiters" | ]]></ac:plain-text-body></ac:structured-macro> |
| CWE ID 150 "Improper Neutralization of Escape, Meta, or Control Sequences" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6b51146d72bdd3c5-204901a2-40054629-8a7d84e0-9b08d5587ac7e38b66316e1e"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> |
...