nginx 0.7.64 writes data to a log file without sanitizing
non-printable characters, which might allow remote attackers to
modify a window's title, or possibly execute arbitrary commands or
overwrite files, via an HTTP request containing an escape sequence
for a terminal emulator.
nginx changelog for 0.7 doesn't mention this CVE, so not sure if this has been fixed in 0.7.65.
Not sure if the nginx author will recognize this as an actual "bug", here's varnish route: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4488
nginx seems to accept this as a vuln. see link
I mailed the author, if it's planned to fix this CVE.
"No, I do not consider this as vulnerability. This is terminal issue."
i have to agree with igor and also the team behind varnish, which issued the following statement, that this is not a vulnerability in nginx/varnish/apache/whatever.
The real problem is the mistaken belief that you can cat(1) a random
logfile to your terminal safely.
This is not a new issue. I first remember the issue with xterm(1)'s
inadvisably implemented escape-sequences in a root-context, brought up
heatedly, in 1988, possibly late 1987, at Copenhagens University
Computer Science dept. [...]
Issue disputed. I have not looked very deeply into this, but it really seems to be a terminal issue. However, it would have been nice to filter out these characters.
It's a feature, not a bug? ;(