HTTP Servers Log Escape Sequence Injection - Multi-Vendor Advisory

On January 10, 2010, researcher Alessandro “jekil” Tanasi published on his blog a technical advisory developed together with Francesco “ascii” Ongaro and Giovanni “evilaliv3” Pellerano of the USH team. The document, titled “Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection”, exposed a vulnerability common to eleven HTTP servers, related to the injection of escape sequences in logs. Ongaro is indicated among the main authors and signatories of the advisory, which led to the assignment of ten CVEs by Mitre and correction by some vendors such as Cherokee and Ruby/WEBrick.