ush.it - a beautiful place

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection

January 11, 2010 at 2:16 am - Filed under Hacks, Language EN - 2587 words, reading time ~8 minutes - Permalink - Comments

If you have read our previous article Jetty 6.x and 7.x Multiple Vulnerabilities your are already familiar to an attack vector called log escape sequence injection. It allows remote attackers to remotely exploit terminal emulator vulnerabilities that may happen when displaying in an unsafe manner files containing escape sequences. While the real issue belong to the terminals, programs that does not sanitize outputs make this vector relevant in the real world.

THP USH Wisec DigitalBullets