Forum: NGINX Strange advisory

1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-05-10 21:01
(Received via mailing list)
I just saw something strange on
http://nginx.org/en/security_advisories.html
:
"An error log data are not sanitized
Severity: none
CVE-2009-4487
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...
Not vulnerable: none
Vulnerable: all"

Severity is labelled as 'None', though the CVE talks, among other stuff,
about 'arbitrary commands and file write'.
Is your advisories page wrong? Is the CVE wrong? Has this been solved?
---
*B. R.*
2fd0c3f17efded066208e74d8e7f307e?d=identicon&s=25 Kurt Cancemi (Guest)
on 2014-05-10 21:42
(Received via mailing list)
Hello,

This has not been fixed in current nginx releases, this is not
directly related to nginx either, the problem is outdated terminal
emulators would parse the potentially malicious commands in the log
file. This answer http://unix.stackexchange.com/a/15210 explains it
better.

---
Regards,
Kurt Cancemi
63f341734581b167c7b698169bdd2510?d=identicon&s=25 Lukas Tribus (Guest)
on 2014-05-10 21:45
(Received via mailing list)
Hi!


>
>
> Severity is labelled as 'None', though the CVE talks, among other stuff,
> about 'arbitrary commands and file write'.
> Is your advisories page wrong? Is the CVE wrong? Has this been solved?

Afaik the nginx developers didn't agree with this CVE advisory, because
its
actually a terminal problem. Nginx cannot be exploited, but the user
when
looking at the log files can.

Read the advisory for details [1].



Regards,

Lukas


[1] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-05-11 06:27
(Received via mailing list)
I read the StackOverflow thread and it seems there are 2 teams
ping-ponging
the problem:
- One says that it is a terminal problem and that control and escape
sequences should not be executed
- The other says that those features are userful and say that log files
are
supposed to be text-only, thus readable safely in a terminal (no control
character should be there)

The advisory stands from the second point of view, which I tend to agree
with. If logs cannot be trusted, which are supposed to be filled wikth
text, then everything around monitoring (reading, parsing, copying)
becomes
a nightmare.

What is the benefit of having those unescaped control characters in a
log
file? Escaping them allows you to warn about their presence safely...
and
that is directly exploitable by anything, once again safely.
---
*B. R.*
2974d09ac2541e892966b762aad84943?d=identicon&s=25 itpp2012 (Guest)
on 2014-05-11 11:13
(Received via mailing list)
"One man's data is another man's code"

If this would happen on Windows you'd scream murder, yet in 2014 you are
advocating an insecure workspace by allowing foreign control stuff to do
out
of bound stuff.

Anything and anyone can create a file which contains stuff, it is the
responsibility of whatever views/reads it for what happens not the
initial
creator.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250008,250014#msg-250014
40b4c848b8fcd63b0cb60b9d170c3a77?d=identicon&s=25 Valentin V. Bartenev (Guest)
on 2014-05-13 10:23
(Received via mailing list)
On Sunday 11 May 2014 06:25:53 B.R. wrote:
[..]
> What is the benefit of having those unescaped control characters in a log
> file? Escaping them allows you to warn about their presence safely... and
> that is directly exploitable by anything, once again safely.

The benefit is that you can easily find in error/debug log exactly what
a client has sent with binary precision, and therefore better diagnose
a problem.  And this actually is the main purpose of error log (normally
it's just empty).

  wbr, Valentin V. Bartenev
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-05-13 15:44
(Received via mailing list)
Thanks to both of you for precisions about your point of view.

Having thought more about it, it seems indeed strane to *interpret* log
file content to *execute* script snippet in order to change window title
or
alike, following the link Kurt provided.
It seems that old-fahion habits have taken advantage of
backward-compatible
features in modern emulated terminals.

Switching to the fa that emulator vendors should correct this, who to
contact for it? I suppose it has nothing to do with the kernel, but
rather
with multiple GNU libraries around it.
---
*B. R.*
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.