cronolog.org
flexible web log rotation
HOME
DOWNLOAD
FEATURES
USAGE
FAQ
BLOG
KNOWN BUGS
SECURITY
PATCHES
USERS
TO DO
HISTORY
LINKS
FEEDBACK
MAILING LIST
ADVERTISING

support cronolog development
Google   HELP

Security issues with cronolog

As far as I am aware noone has done a formal security audit of cronolog. However I have checked the code for potential buffer overflows and such like, and have not found anything untoward. Users should however be aware that cronolog is normally invoked from the web server and passed a filename template from which it constructs the names of the log files that are written. On Unix-like systems piped log programs are started by the initial server process, which runs as root; thus cronolog will usually run as root. If an attacker can write to the web server configuration file then he or she could cause cronolog to write to critical files. Mind you if an attacker does manage to change the web server configuration file then all sorts of nefarious actions are open to them.

Andrew Ford, 17 January 2002

Copyright © 1996-2004 Andrew Ford and Ford & Mason Ltd