Strange advisory

Lukas Tribus luky-37 at hotmail.com
Sat May 10 19:45:14 UTC 2014


Hi!


> I just saw something strange on
> http://nginx.org/en/security_advisories.html:
> 
> 
> "An error log data are not sanitized
> Severity: none
> CVE-2009-4487
> Not vulnerable: none
> Vulnerable: all"
> 
> 
> 
> Severity is labelled as 'None', though the CVE talks, among other stuff,
> about 'arbitrary commands and file write'.
> Is your advisories page wrong? Is the CVE wrong? Has this been solved?

Afaik the nginx developers didn't agree with this CVE advisory, because its
actually a terminal problem. Nginx cannot be exploited, but the user when
looking at the log files can.

Read the advisory for details [1].



Regards,

Lukas


[1] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt 		 	   		  


More information about the nginx mailing list