Re: Strange advisory

2014-05-13 Thread B.R.
Thanks to both of you for precisions about your point of view. Having thought more about it, it seems indeed strane to *interpret* log file content to *execute* script snippet in order to change window title or alike, following the link Kurt provided. It seems that old-fahion habits have taken adv

Re: Strange advisory

2014-05-13 Thread Valentin V. Bartenev
On Sunday 11 May 2014 06:25:53 B.R. wrote: [..] > What is the benefit of having those unescaped control characters in a log > file? Escaping them allows you to warn about their presence safely... and > that is directly exploitable by anything, once again safely. The benefit is that you can easily

Re: Strange advisory

2014-05-11 Thread itpp2012
"One man's data is another man's code" If this would happen on Windows you'd scream murder, yet in 2014 you are advocating an insecure workspace by allowing foreign control stuff to do out of bound stuff. Anything and anyone can create a file which contains stuff, it is the responsibility of what

Re: Strange advisory

2014-05-10 Thread B.R.
I read the StackOverflow thread and it seems there are 2 teams ping-ponging the problem: - One says that it is a terminal problem and that control and escape sequences should not be executed - The other says that those features are userful and say that log files are supposed to be text-only, thus r

RE: Strange advisory

2014-05-10 Thread Lukas Tribus
Hi! > I just saw something strange on > http://nginx.org/en/security_advisories.html: > > > "An error log data are not sanitized > Severity: none > CVE-2009-4487 > Not vulnerable: none > Vulnerable: all" > > > > Severity is labelled as 'None', though the CVE talks, among other stuff, > about

Re: Strange advisory

2014-05-10 Thread Kurt Cancemi
Hello, This has not been fixed in current nginx releases, this is not directly related to nginx either, the problem is outdated terminal emulators would parse the potentially malicious commands in the log file. This answer http://unix.stackexchange.com/a/15210 explains it better. --- Regards, Kur

Strange advisory

2014-05-10 Thread B.R.
I just saw something strange on http://nginx.org/en/security_advisories.html : "An error log data are not sanitized Severity: none CVE-2009-4487 Not vulnerable: none Vulnerable: all" Severity is labelled as 'None', though the CVE talks,