Hi!


> I just saw something strange on
> http://nginx.org/en/security_advisories.html:
>
>
> "An error log data are not sanitized
> Severity: none
> CVE-2009-4487
> Not vulnerable: none
> Vulnerable: all"
>
>
>
> Severity is labelled as 'None', though the CVE talks, among other stuff,
> about 'arbitrary commands and file write'.
> Is your advisories page wrong? Is the CVE wrong? Has this been solved?

Afaik the nginx developers didn't agree with this CVE advisory, because its
actually a terminal problem. Nginx cannot be exploited, but the user when
looking at the log files can.

Read the advisory for details [1].



Regards,

Lukas


[1] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx