Name String Format Overflow in syslog()
Summary This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Prerequisites The format string argument of the Syslog function can be tainted with user supplied data.
Solutions The following code shows a vulnerable usage of Syslog():
Related Weaknesses
CWE ID Description
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-134 Uncontrolled Format String
CWE-680
CWE-697 Insufficient Comparison
Back to Top