Is nginx still vulnerable to CVE-2009-4487 ?
Jeffrey 'jf' Lim
jfs.world at gmail.com
Sun Feb 13 21:17:27 UTC 2022
On Sun, Feb 13, 2022 at 10:45 AM Moshe Katz <moshe at ymkatz.net> wrote:
> I can't speak for the nginx team, but as noted by "Severity: none", I assume they agree with many other vendors that this is not actually a vulnerability in nginx itself.
> For example, here is what the authors of Varnish said in response to this CVE:
> > This is not a security problem in Varnish or any other piece of software which writes a logfile.
> > The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.
> >This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. (Diku.dk). Since then, nothing much have changed.
> > The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology.
> > I admit that listing "found a security hole in all HTTP-related programs that write logfiles" will look more impressive on a resume, but I think it is misguided and a sign of trophy-hunting having overtaken common sense.
> > Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all.
this is all fair and good (and I don't disagree that terminal
emulators need to get better) - but I'm just wondering, does anybody
here do error logging at info or debug? If you send the logs off
somewhere to a logging system, how do you parse these logs?
More information about the nginx