Varnish Log Escape Sequence Injection Vulnerability Network Vulnerability

Summary

This host is installed with Varnish and is prone to Log Escape Sequence Injection Vulnerability.

Impact

Successful exploitation will let the attacker execute arbitrary commands in a terminal. Impact level: Application

Solution

Upgrade to Varnish version 2.1.2 or later For updates refer to http://varnish.projects.linpro.no/wiki/WikiStart

Insight

The flaw exists when the Web Server is executed in foreground in a pty or when the logfiles are viewed with tools like 'cat' or 'tail' injected control characters reach the terminal and are executed.

Affected

Varnish version 2.0.6 and prior.

References

http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded
http://www.ush.it/team/ush/hack_httpd_escape/adv.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-4488
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

IBM WebSphere Application Server Multiple CSRF Vulnerabilities
Check for IIS .cnf file leakage
Apache Tomcat 'sort' and 'orderBy' Parameters Cross Site Scripting Vulnerabilities
httpdx Space Character Remote File Disclosure Vulnerability
IBM WebSphere Application Server IVT Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities