Red Hat Bugzilla – Bug 562798
CVE-2009-4487 nginx: Absent sanitation of escape sequences in web server log
Last modified: 2014-02-23 10:25:46 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4487 to the following vulnerability: nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4487 [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded [3] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt [4] http://www.securityfocus.com/bid/37711 Upstream status: [5] http://nginx.org/en/security_advisories.html contains record for CVE-2009-4487: An error log data are not sanitized Severity: none CVE-2009-4487 Not vulnerable: none Vulnerable: all So looks, they are aware of it, but not planning to fix it.
In fact the impact of this issue against various versions of *term package / binary, as shipped within Fedora release of 11 and 12, because advisory [1] from References part above further references ([4], [5], [6], [7] links in [1]): [a] -- [4] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability http://www.milw0rm.com/exploits/7681 This is #CVE-2008-2383, which is already fixed. [b] -- [5] Terminal Emulator Security Issues http://marc.info/?l=bugtraq&m=104612710031920&w=2 The list of CNA's is pretty long, but similar as above. [c] -- [6] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6936/discuss This is CVE-2003-0021, which was fixed in upstream Eterm 0.9.2 version (current versions of Eterm package in Fedora are newer than this). [d] -- [7] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6938/discuss This is CVE-2003-0022, which was fixed in upstream rxvt-v2.7.10 version (ftp://ftp.rxvt.org/pub/rxvt/rxvt-2.7.10.tar.gz) and current rxvt packages in Fedora and EPEL repositories are already v2.7.10 based. So the issues, as mentioned in: References: [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded would be real issues only on very old (not updated) systems.
Just for completeness, here are the links to patches for the Cherokee web server, as applied for the clone of the same issue (CVE-2009-4489) in Cherokee: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4489 http://svn.cherokee-project.com/changeset/3944 http://svn.cherokee-project.com/changeset/3977
I assume this means, since upstream nginx is not providing a fix at this time that we should not do anything? I'm about package up 0.7.65 and want to check if we should do anything before then.
(In reply to Jan Lieskovsky from comment #1) > So the issues, as mentioned in: > > References: > [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded > > would be real issues only on very old (not updated) systems. Upstream have been aware of this issue for years and have decided not to fix it. As stated in the quote above, it appears to only affect very old systems running vulnerable *term packages so there does not appear to be any significant consequences. I am therefore closing this bug.