CVE-2009-4487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4487): nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
nginx changelog for 0.7 doesn't mention this CVE, so not sure if this has been fixed in 0.7.65.
Not sure if the nginx author will recognize this as an actual "bug", here's varnish route: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4488
nginx seems to accept this as a vuln. see link http://nginx.org/en/security_advisories.html
I mailed the author, if it's planned to fix this CVE.
igor@sysoev.ru wrote: "No, I do not consider this as vulnerability. This is terminal issue."
i have to agree with igor and also the team behind varnish, which issued the following statement, that this is not a vulnerability in nginx/varnish/apache/whatever. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely. This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. [...]
Issue disputed. I have not looked very deeply into this, but it really seems to be a terminal issue. However, it would have been nice to filter out these characters. It's a feature, not a bug? ;(
