Is nginx still vulnerable to CVE-2009-4487 ?
Jeffrey 'jf' Lim
jfs.world at gmail.com
Sun Feb 13 21:17:27 UTC 2022
On Sun, Feb 13, 2022 at 10:45 AM Moshe Katz <moshe at ymkatz.net> wrote:
>
> I can't speak for the nginx team, but as noted by "Severity: none", I assume they agree with many other vendors that this is not actually a vulnerability in nginx itself.
>
> For example, here is what the authors of Varnish said in response to this CVE:
>
> > This is not a security problem in Varnish or any other piece of software which writes a logfile.
> >
> > The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.
> >
> >This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. (Diku.dk). Since then, nothing much have changed.
> >
> > The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology.
> >
> > I admit that listing "found a security hole in all HTTP-related programs that write logfiles" will look more impressive on a resume, but I think it is misguided and a sign of trophy-hunting having overtaken common sense.
> >
> > Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all.
>
this is all fair and good (and I don't disagree that terminal
emulators need to get better) - but I'm just wondering, does anybody
here do error logging at info or debug? If you send the logs off
somewhere to a logging system, how do you parse these logs?
-jf
More information about the nginx
mailing list