Varnish Log Escape Sequence Injection Vulnerability Network Vulnerability

Summary

This host is installed with Varnish and is prone to Log Escape Sequence Injection Vulnerability.

Impact

Successful exploitation will let the attacker execute arbitrary commands in a terminal. Impact level: Application

Solution

Upgrade to Varnish version 2.1.2 or later For updates refer to http://varnish.projects.linpro.no/wiki/WikiStart

Insight

The flaw exists when the Web Server is executed in foreground in a pty or when the logfiles are viewed with tools like 'cat' or 'tail' injected control characters reach the terminal and are executed.

Affected

Varnish version 2.0.6 and prior.

References

http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded
http://www.ush.it/team/ush/hack_httpd_escape/adv.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-4488

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Acritum Femitter Server 1.03 Multiple Remote Vulnerabilities
bozotic HTTP server Information Disclosure Vulnerability
GoAhead WebServer 'name' and 'address' Cross-Site Scripting Vulnerabilities
Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability
IBM WebSphere Application Server Multiple Vulnerabilities

Take action and discover your vulnerabilities