Preventing Log Forging in Liferay 6.2
28 January 2016
In the process of securing our customized deployment of Liferay 6.2 scanning revealed that we have a vulnerability to Log Forging. Log Forging is where an attacker inserts information into a log file. This information could for example say that an event happened which didn’t. The most obvious avenue of attack is user input which is written to a log file. The attacker could simply put data in a form field that looks like a log entry.
The currently accepted solution is to remove any line feeds and carriage returns from text written to a log file. If you are using an HTML log view you will also want to html encode any text written to the log file. Specifically any text than comes from an external source, such as a user.
Fortunately Liferay 6.2 has a solution for this out of the box. It is tucked away inside the system.properties file. To enable it you simply need to modify your JVM startup parameters. In Tomcat you would modify the setenv.sh file to look something like the following.
CATALINA_OPTS="-Dlog.sanitizer.enabled=true -Dlog.sanitizer.escape.html.enabled=false -Dlog.sanitizer.replacement.character=95 -Dlog.sanitizer.whitelist.characters=9,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126 "
You enable sanitization, define a replacement character and create a white list of acceptable characters.