Open Closed

Log Injection - security issue #4231


User avatar
0
SaidAmer created

Hi Support Team,

We have executed a security check via SonarQube but we received a security issue related to abp framework here are the details about this issue:

| Category | Log Injection | | -------------------- | ----------------------------------------------------------------- | | Review priority | LOW | | Details | Make sure that this logger's configuration is safe. |

Here are the links which might help you:

Configuring loggers is security-sensitive. It has led in the past to the following vulnerabilities:

CVE-2018-0285 CVE-2000-1127 CVE-2017-15113 CVE-2015-5742

How to fix see: OWASP Top 10 2017 Category A3 - Sensitive Data Exposure OWASP Top 10 2017 Category A10 - Insufficient Logging & Monitoring MITRE, CWE-532 - Information Exposure Through Log Files MITRE, CWE-117 - Improper Output Neutralization for Logs MITRE, CWE-778 - Insufficient Logging SANS Top 25 - Porous Defenses

  • ABP Framework version: 6.0.1
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace: see the attached files
  • Steps to reproduce the issue: Create a new project with abp framework then execute a security check with SonarQube.

Would you please give this issue a high priority we cannot proceed with abp framework without fixing this issue because we have a security audit from a third party?


3 Answer(s)
  • User Avatar
    0
    alper created
    Support Team Director

    this is the default setup of the Logger. You can customize it according to your requirements. If your pen test tool raises it as a "low level security leak" you can change it in the src/TaajeerFinance.HttpApi.Host/Program.cs class. Set it to .MinimumLevel.Fatal() .

    We cannot do it in the framework because it's not in the framework. It's in the application that you have generated.

  • User Avatar
    0
    SaidAmer created

    Hi Alper,

    I have applied your suggestion but we still face the same issue, any ideas from your side?

    Thanks, Said

  • User Avatar
    0
    alper created
    Support Team Director

    it's a log level that you can easily change on your application. you can search in your whole solution and change all the log levels.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09