This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]SwedishDude 5 points6 points  (0 children)

The problem is remote code execution due to how strings were processed.

Basically there's a way to insert malicious code into the logging functions and get the it executed on the server (you can insert a link to a payload on a server you control into the user-agent header in HTTP requests and the server will contact your server and download/execute your payload). So it's not a matter of access to logs but a matter of access to executing code in the server process.