Bug 562798 (CVE-2009-4487) - CVE-2009-4487 nginx: Absent sanitation of escape sequences in web server log
Summary: CVE-2009-4487 nginx: Absent sanitation of escape sequences in web server log
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2009-4487
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.securityfocus.com/archive/...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-08 12:38 UTC by Jan Lieskovsky
Modified: 2020-11-05 10:33 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-23 15:25:46 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-02-08 12:38:46 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4487 to
the following vulnerability:

nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. 

References:
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4487
  [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded
  [3] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
  [4] http://www.securityfocus.com/bid/37711

Upstream status:
  [5] http://nginx.org/en/security_advisories.html contains record
  for CVE-2009-4487:

    An error log data are not sanitized
    Severity: none
    CVE-2009-4487
    Not vulnerable: none
    Vulnerable: all

So looks, they are aware of it, but not planning to fix it.

Comment 1 Jan Lieskovsky 2010-02-08 12:58:06 UTC
In fact the impact of this issue against various versions of *term
package / binary, as shipped within Fedora release of 11 and 12,
because advisory [1] from References part above further references
([4], [5], [6], [7] links in [1]):

[a] -- [4] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability
http://www.milw0rm.com/exploits/7681

This is #CVE-2008-2383, which is already fixed.

[b] -- [5] Terminal Emulator Security Issues
http://marc.info/?l=bugtraq&m=104612710031920&w=2

The list of CNA's is pretty long, but similar as above.

[c] -- [6] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability
http://www.securityfocus.com/bid/6936/discuss

This is CVE-2003-0021, which was fixed in upstream Eterm 0.9.2 version
(current versions of Eterm package in Fedora are newer than this).

[d] -- [7] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability
http://www.securityfocus.com/bid/6938/discuss

This is CVE-2003-0022, which was fixed in upstream rxvt-v2.7.10 version
(ftp://ftp.rxvt.org/pub/rxvt/rxvt-2.7.10.tar.gz) and current rxvt
packages in Fedora and EPEL repositories are already v2.7.10 based.

So the issues, as mentioned in:

References:
  [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded

would be real issues only on very old (not updated) systems.

Comment 2 Jan Lieskovsky 2010-02-08 13:03:35 UTC
Just for completeness, here are the links to patches for the Cherokee
web server, as applied for the clone of the same issue (CVE-2009-4489)
in Cherokee:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4489
  http://svn.cherokee-project.com/changeset/3944
  http://svn.cherokee-project.com/changeset/3977

Comment 3 Jeremy Hinegardner 2010-02-10 22:15:03 UTC
I assume this means, since upstream nginx is not providing a fix at this time that we should not do anything?

I'm about package up 0.7.65 and want to check if we should do anything before then.

Comment 4 Jamie Nguyen 2014-02-23 15:25:46 UTC
(In reply to Jan Lieskovsky from comment #1)
> So the issues, as mentioned in:
> 
> References:
>   [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded
> 
> would be real issues only on very old (not updated) systems.

Upstream have been aware of this issue for years and have decided not to fix it. As stated in the quote above, it appears to only affect very old systems running vulnerable *term packages so there does not appear to be any significant consequences. I am therefore closing this bug.


Note You need to log in before you can comment on or make changes to this bug.