Skip to content

Anyone can log anything to your log using a URL (using direct action class AjaxRemoteLogging) #1024

New issue
New issue
Open
Open
Anyone can log anything to your log using a URL (using direct action class AjaxRemoteLogging)#1024
@hugithordarson

Description

@hugithordarson
hugithordarson
opened on Oct 15, 2025

See:

wonder/Frameworks/Ajax/Ajax/Sources/er/ajax/AjaxRemoteLogging.java

Lines 80 to 113 in 11e2f35

public static class Log extends ERXDirectAction {
public Log(WORequest r) {
super(r);
}
@Override
public WOActionResults performActionNamed(String logger) {
String level = context().request().stringFormValueForKey("l");
String msg = context().request().stringFormValueForKey("m");
if (logger == null) {
logger = AjaxRemoteLogging.class.getSimpleName();
}
// trigger session loading if present
WOSession existing = existingSession();
Logger log = Logger.getLogger(logger);
if ("fatal".equalsIgnoreCase(level)) {
log.fatal(msg);
}
else if ("error".equalsIgnoreCase(level)) {
log.error(msg);
}
else if ("warn".equalsIgnoreCase(level)) {
log.warn(msg);
}
else if ("info".equalsIgnoreCase(level)) {
log.info(msg);
}
else if ("debug".equalsIgnoreCase(level)) {
log.debug(msg);
}
return new ERXResponse();
}
}

Just flagging. Is this uh … normal? Unless I'm mistaken, anyone can log anything to any logger at any level in your app using a URL?

http://some.server.com/Apps/WebObjects/App.woa/wa/AjaxRemoteLogging$Log/er.extensions.appserver.ERXApplication?l=ERROR&m=BOOM!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions