Strange advisory
Lukas Tribus
luky-37 at hotmail.com
Sat May 10 19:45:14 UTC 2014
Hi!
> I just saw something strange on
> http://nginx.org/en/security_advisories.html:
>
>
> "An error log data are not sanitized
> Severity: none
> CVE-2009-4487
> Not vulnerable: none
> Vulnerable: all"
>
>
>
> Severity is labelled as 'None', though the CVE talks, among other stuff,
> about 'arbitrary commands and file write'.
> Is your advisories page wrong? Is the CVE wrong? Has this been solved?
Afaik the nginx developers didn't agree with this CVE advisory, because its
actually a terminal problem. Nginx cannot be exploited, but the user when
looking at the log files can.
Read the advisory for details [1].
Regards,
Lukas
[1] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
More information about the nginx
mailing list