Log Escape Sequence Injection Vulnerability in Multiple Web Servers

On January 12, 2010, the Aliyun Developer portal published a technical advisory regarding a log escape sequence injection vulnerability affecting numerous web servers, including Nginx, Varnish, Cherokee, thttpd, mini_httpd, WEBrick, Orion, AOLserver, Yaws, and Boa. The discovery was attributed to Giovanni “evilaliv3” Pellerano, Alessandro “jekil” Tanasi, and Francesco “ascii” Ongaro, who also signed the bulletin’s copyright. The advisory described how escape sequences in logs could execute malicious commands in terminals used for viewing. The investigation led to the assignment of ten distinct CVEs (from CVE-2009-4487 to CVE-2009-4496) and corrective interventions by some vendors such as Cherokee, WEBrick, and Jetty.