Is it safe to tail and grep apache access log - is there risk of shell injection?

horizon2021

Active Member
Jan 31, 2021
25
1
3
USA
cPanel Access Level
Root Administrator
I noticed Log Files - Apache HTTP Server Version 2.4
In addition, log files may contain information supplied directly by the client, without escaping. Therefore, it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs.

Can simply using tail and grep on an access log present any risk of shell injection?
Code:
[root]# tail -5000 /usr/local/apache/domlogs/domain.com-ssl_log | grep WebKit4
 

horizon2021

Active Member
Jan 31, 2021
25
1
3
USA
cPanel Access Level
Root Administrator
I'm still thinking about the warning that apache has on their site:
"In addition, log files may contain information supplied directly by the client, without escaping. Therefore, it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs. "

In googling, I've read an example where a control character can be inserted in a file which causes tail or cat to show something other than what is in the file by moving the terminal cursor up a couple lines.

So I'm still wondering if there is any risk simply running tail or cat against a log file. How paranoid do I need to be?

Are tail and grep immune to command injection from the contents of what is being read via tail and grep?
 

horizon2021

Active Member
Jan 31, 2021
25
1
3
USA
cPanel Access Level
Root Administrator
Thanks very much for the reply. Never sure if I'm too paranoid or not paranoid enough ;)

Is there anything potentially dangerous to worry about when piping tail to grep, or when redirecting the output to a file?
e.g. is there any danger of something breaking out from the raw output causing any kind of command injection with:

tail -5000 /usr/local/apache/domlogs/domain.com-ssl_log | grep WebKit4 >> summarylog.txt
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
5,447
697
313
cPanel Access Level
Root Administrator
Posting this quote again:

Therefore, it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs. "
Unless *you* are the one making the injection, nothing is going to happen. Apache is saying you should make sure these logs are secure, not that they are fragile by default and you can never look at them.
 
  • Like
Reactions: horizon2021

horizon2021

Active Member
Jan 31, 2021
25
1
3
USA
cPanel Access Level
Root Administrator
OK, I still don't understand the apache warning.

What I thought it meant was that some malicious person / malware / etc. could insert some control-character through simply visiting a website and sending the referrer or user agent or some other string that would get added to the access log and contain some "control-character." Something like ;chmod something or ;echo badthing:root /etc/password or ^c command or something into the log with the hope of tricking what was reading the log file into breaking and executing something.

I could see if you were blindly directing a log file to a badly written php script where the script wasn't sanitizing input that maybe something like that could cause a problem. Although I haven't seen it. And I wasn't sure if basic shell commands like tail or grep had any vulnerability like php might to unsanatized input, input being the file being read or piped into grep in this case.

Maybe I'm just totally misunderstanding the gist of the apache warning completely.

I wonder what an example of a "control character" would be in the log file to watch out for.

Would the danger the warning is talking about be to apache itself if something got injected into a log file, and how? (apache is constantly appending to the log files, but I can't imagine it would execute anything in a log file in the logging process.)
 
Last edited: