Log Poisoning

Log Poisoning is an attack technique where malicious code is injected into log files, which are then included or executed through a Local File Inclusion vulnerability or similar mechanism, resulting in code execution.

How It Works

Applications write various data to log files, including user-controlled input like User-Agent headers, usernames, or error messages. If an attacker can inject code into these logs and then trigger the log file's inclusion, the injected code executes.

Attack Flow

1. Inject PHP code into log file via User-Agent:
   GET / HTTP/1.1
   User-Agent: <?php system($_GET['cmd']); ?>

2. Apache logs the request including User-Agent to access.log

3. Use LFI to include the log file:
   GET /page.php?file=../../../var/log/apache2/access.log&cmd=id

4. PHP executes the injected code from the log file

Common Log File Targets

• Apache: /var/log/apache2/access.log, error.log
• Nginx: /var/log/nginx/access.log, error.log
• SSH: /var/log/auth.log (inject via username)
• Mail: /var/log/mail.log
• FTP: /var/log/vsftpd.log

Injection Vectors

• User-Agent header
• Referer header
• Username in login attempts
• Email addresses in mail logs
• Error messages that reflect input

Prevention

• Sanitize all data before logging
• Prevent LFI vulnerabilities
• Run web server with restricted permissions
• Store logs outside web root

See Also

• Local File Inclusion
• Path Traversal
• Code Injection