>There is a Log Manipulation vulnerability in Microsoft ISA Server >2004, which when exploited will enable a malicious user to manipulate >the Destination Host parameter of the log file. ... >We were able to insert arbitrary characters, in this case the ASCII >characters 1, 2, 3 (respectively) into the Destination Host parameter >of the log file. I'm curious about why you regard this as security-relevant. I do not know what you mean by "log manipulation". Certainly the Host header is unusual in the sense that it is not an expected format or syntax, although if I recall correctly, it's not required in HTTP/1.0, which is the format of your request. Does it violate the syntactic requirements as dictated by the associated RFCs? Is the Host field expected to be consistent with some set of valid Host values, e.g. some set of supported virtual hosts? Is it used as part of the filename of the log file? Do these specific characters cause some parsing error that prevents other log entries from being accessed or causes them to be desynchronized (e.g. if they are field or record separator characters in the log file)? Do these characters a GUI obfuscation problem in which data is not properly rendered in a window? Do the characters have special meaning if the log file is viewed by external tools such as "more" or Notepad, which would not be under the control of ISA (and thus arguably not a vulnerability in ISA itself)? Was encoded CRLF injection tried but not successful? Or is there some other reason? - Steve
