Is nginx still vulnerable to CVE-2009-4487 ?

Moshe Katz moshe at ymkatz.net
Sun Feb 13 18:44:00 UTC 2022


I can't speak for the nginx team, but as noted by "Severity: none", I
assume they agree with many other vendors that this is not actually a
vulnerability in nginx itself.

For example, here is what the authors of Varnish said in response to this
CVE:

> This is not a security problem in Varnish or any other piece of software
which writes a logfile.
>
> The real problem is the mistaken belief that you can cat(1) a random
logfile to your terminal safely.
>
>This is not a new issue. I first remember the issue with xterm(1)'s
inadvisably implemented escape-sequences in a root-context, brought up
heatedly, in 1988, possibly late 1987, at Copenhagens University Computer
Science dept. (Diku.dk). Since then, nothing much have changed.
>
> The wisdom of terminal-response-escapes in general have been questioned
at regular intervals, but still none of the major terminal emulation
programs have seen fit to discard these sequences, probably in a misguided
attempt at compatibility with no longer used 1970'es technology.
>
> I admit that listing "found a security hole in all HTTP-related
programs that write logfiles" will look more impressive on a resume, but I
think it is misguided and a sign of trophy-hunting having overtaken
common sense.
>
> Instead of blaming any and all programs which writes logfiles, it
would be much more productive, from a security point of view, to get
the terminal emulation programs to stop doing stupid things, and thus
fix this and other security problems once and for all.


Moshe

On Sun, Feb 13, 2022 at 11:46 AM Hritik Vijay <hritikxx8 at gmail.com> wrote:

> Hello
>
> The advisories page (https://nginx.org/en/security_advisories.html) for
> nginx mentions the following:
>         An error log data are not sanitized
>         Severity: none
>         CVE-2009-4487
>         Not vulnerable: none
>         Vulnerable: all
>
> Was this vulnerability ever fixed ? If so, can we please get the
> advisory updated ?
>
> Hrtk
> _______________________________________________
> nginx mailing list -- nginx at nginx.org
> To unsubscribe send an email to nginx-leave at nginx.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20220213/4f1b6ae0/attachment.htm>


More information about the nginx mailing list