

Nginx, Varnish, Cherokee, thttpd, WEBrick, Yaws log escape sequence injection - codexon
http://packetstormsecurity.org/1001-exploits/log-inject.txt

======
moe
Fortunately he put the only correct response to this nonsense right in there -
saves me some typing. Quote from the varnish team:

This is not a security problem in Varnish or any other piece of software which
writes a logfile.

The real problem is the mistaken belief that you can cat(1) a random logfile
to your terminal safely.

This is not a new issue. I first remember the issue with xterm(1)'s
inadvisably implemented escape-sequences in a root-context, brought up
heatedly, in 1988, possibly late 1987, at Copenhagens University Computer
Science dept. (Diku.dk). Since then, nothing much have changed.

The wisdom of terminal-response-escapes in general have been questioned at
regular intervals, but still none of the major terminal emulation programs
have seen fit to discard these sequences, probably in a misguided attempt at
compatibility with no longer used 1970'es technology.

I admit that listing "found a security hole in all HTTP-related programs that
write logfiles" will look more impressive on a resume, but I think it is
misguided and a sign of trophy-hunting having overtaken common sense.

Instead of blaming any and all programs which writes logfiles, it would be
much more productive, from a security point of view, to get the terminal
emulation programs to stop doing stupid things, and thus fix this and other
security problems once and for all.

------
jws
Does anyone's VT100 emulator support the answerback function these days?

Terminal on OS X doesn't seem to. I think I remember in the dark ages there
were some that let you set the answerback message remotely, but I suspect
people figured out that was a bad idea.

Ah, but who among us didn't embed a CTRL-E in our "you are about to be idle
killed" messages and set our answerback messages to "".

------
angelbob
So... Their problem is that log files don't filter out VT100 escape sequences
by default?

This is not a terribly serious bug...

