Vulnerabilities > CVE-2009-4487 - Unspecified vulnerability in F5 Nginx 0.7.64

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
f5
nessus
exploit available
NVD
Published: 2010-01-13
Updated: 2021-11-10

Summary

nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Vulnerable Configurations

Part Description Count
Application
F5
1

Exploit-Db

descriptionnginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability. CVE-2009-4487. Remote exploits for multiple platform
idEDB-ID:33490
last seen2016-02-03
modified2010-01-11
published2010-01-11
reporterevilaliv3
sourcehttps://www.exploit-db.com/download/33490/
titlenginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability

Nessus

NASL familyWeb Servers
NASL idNGINX_0_7_64.NASL
descriptionAccording to the self-reported version in its response header, the version of nginx hosted on the remote web server is less than 0.7.64 or 0.8.x prior to 0.8.23. It is, therefore, affected by multiple vulnerabilities as noted in the vendor advisory.
last seen2020-05-09
modified2018-03-09
plugin id107262
published2018-03-09
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/107262
titlenginx < 0.7.64 / 0.8.x < 0.8.23 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(107262);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");

  script_cve_id("CVE-2009-3555", "CVE-2009-4487");

  script_name(english:"nginx < 0.7.64 / 0.8.x < 0.8.23 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to the self-reported version in its response header, the
version of nginx hosted on the remote web server is less than 0.7.64
or 0.8.x prior to 0.8.23. It is, therefore, affected by multiple
vulnerabilities as noted in the vendor advisory.");
  script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/security_advisories.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to nginx version 0.7.64 / 0.8.23 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3555");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 310);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/11/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/09");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:igor_sysoev:nginx");
  script_set_attribute(attribute:"agent", value:"unix");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nginx_detect.nasl", "nginx_nix_installed.nbin");
  script_require_keys("installed_sw/nginx");
  exit(0);
}

include('http.inc');
include('vcf.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

appname = 'nginx';
get_install_count(app_name:appname, exit_if_zero:TRUE);
app_info = vcf::combined_get_app_info(app:appname);

vcf::check_granularity(app_info:app_info, sig_segments:3);
# If the detection is only remote, Detection Method won't be set, and we should require paranoia
if (empty_or_null(app_info['Detection Method']) && report_paranoia < 2)
  audit(AUDIT_PARANOID);

constraints = [
  {'fixed_version' : '0.7.64'},
  {'fixed_version' : '0.8.23', 'min_version' : '0.8.0'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/85018/log-inject.txt
idPACKETSTORM:85018
last seen2016-12-05
published2010-01-11
reporterFrancesco Ongaro
sourcehttps://packetstormsecurity.com/files/85018/Nginx-Varnish-Cherokee-etc-Log-Injection.html
titleNginx, Varnish, Cherokee, etc Log Injection

References