Php Syslog Log Injection
Description
Detects when user-controlled data is passed to PHP's syslog() function without proper sanitization, which could allow attackers to inject malicious log entries. This can lead to log forging attacks where an attacker manipulates system logs to hide malicious activity or cause log parsing issues.
Detection Strategy
• Identifies calls to PHP syslog() function in the code
• Verifies the function call has exactly 2 arguments (priority level and message)
• Checks that the first argument is a valid syslog priority level constant
• Analyzes if the message parameter contains or is influenced by user-controlled input
• Reports a vulnerability when unsanitized user data flows into the syslog message parameter
Vulnerable code example
<?php
// Direct user input passed to syslog without sanitization
$user_input = $_GET['user'];
syslog(LOG_INFO, "User input: " . $user_input); // Vulnerable: unsanitized user input directly used in syslog
// Another example showing direct concatenation of POST data
syslog(LOG_WARNING, "Message: " . $_POST['message']); // Vulnerable: direct concatenation of user-controlled data✅ Secure code example
<?php
// Sanitize user input before logging by removing newlines/carriage returns
if (isset($_GET['user'])) {
$user_input = str_replace(["\n", "\r"], '_', $_GET['user']); // Strip CRLF to prevent log injection
syslog(LOG_INFO, "User input: " . $user_input);
}
// Sanitize POST data using preg_replace to remove CRLF...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.