Microsoft Internet Information Server (IIS) Lets Remote Users Create Bogus Web Log Entries
SecurityTracker Alert ID: 1002778|
SecurityTracker URL: http://securitytracker.com/id/1002778
(Links to External Site)
Date: Nov 20 2001
Modification of user information|
Exploit Included: Yes |
Version(s): 5.0, possibly other versions|
A logging vulnerability was reported in Microsoft's Internet Information Server (IIS) web server. A remote user can create bogus web log entries.|
It is reported that hex code characters from a URL request are translated into an ASCII character when written to an IIS log entry. For example, '/index%2easp' is recorded in the IIS log file as '/index.asp'. The report states that %0A is translated to a new line character and %FF is translated to what apparently looks just like a space character.
A remote user can create a URL that will result in a bogus log entry that appear to be valid.
For example, a URL reqest for '/index.asp' can be formed as the following string:
The request for /index.asp is terminated with a 200 notice and HTTP/1.1 showing the HTTP version. Following that, a new line (%0A) is started. This will reportedly create a log entry from the '[ipaddress]' for '/evilplaces'.
The vendor has reportedly been notified.
A remote user can cause the web server to create a bogus log entry.|
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (NT), Windows (2000), Windows (XP)|
|Underlying OS Comments: Tested on Windows 2000|
Source Message Contents
Subject: IIS logging issue|
TOPIC: Microsoft IIS is vulnerable to log faking.
ADVISORY NR: 200103
VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon)
Microsoft was contacted on September 18, 2001 by emailing
email@example.com. A reply was received saying Microsoft was unable to
reproduce this using Notepad. I had only given the hex codes for
Edit in MS-DOS. After letting this sit for a while I got the hex codes for
another text editor. So I sent that to Microsoft on November 12, 2001.
I did not receive a reply to this yet.
Microsoft IIS is a web server. duh. ;)
This vulnerability was tested to work using Windows 2000 and IIS 5.0 without
changes to the logging settings.
Log entries in the IIS logfile have the hex codes in a request translated
to a character.
/index%2easp becomes /index.asp and is shown as that in the logfile.
The problem is that %0A becomes translated to a new line and %FF to what
looks just like a space. Using these two you can successfully create two
perfectly real looking log entries.
here the request for /index.asp is ended with a 200 notice and HTTP/1.1
showing what version has been used HTTP wise. Then a new line (%0A) is
At first I thought that getting the time right would become a difficult
one. It turns out I was wrong. All logging is done using Greenwich time.
All one needs to do is figure out the current time in London and they are
Then the IP of the person who you wish to use follows. Then whatever you
think they should be caught asking for.
The %FF and %0A works when using MS-DOS's Edit.
To make this work in WordPad which more likely will be used to view logs,
replace %FF with %09.
No fix has been released for this problem as far as I know.
Maybe administrators of computers that use different webserver software
could try all hexcodes and find out if their particular server is
vulnerable to the same issue and then proceed to contact their manufacturer?
I have already found another company's server software to be vulnerable to
the same issue. Rather than people going around issuing many advisories for
the same issue but different software company, it would be nice if the
seperate companies could just be notified and be able to issue a patch for
their particular program.
These days logs are used very often to prove illegal activity. When logs
cannot be trusted there is a serious problem: how else do you prove
IIS 5.0 lets you set different logging formats. I used the settings that
were put there by the IIS installation. For me this was W3C Extended
Log File Format, which logged the following things:
- Time (time)
- Client IP Address (c-ip)
- Method (cs-method)
- URI Stem (cs-uri-stem)
- Protocol Status (cs-status)
- Protocol Version (cs-version)