CVE-2009-4490

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2009-4490 NameCVE-2009-4490 Descriptionmini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red…

CVE-2009-4490

Name	CVE-2009-4490
Description	mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mini-httpd (PTS)	bullseye	1.30-2	vulnerable
	bookworm	1.30-3	vulnerable
	trixie	1.30-13	vulnerable
	forky	1.30-16	vulnerable
	sid	1.30-17	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
mini-httpd	source	(unstable)	(unfixed)	unimportant

Notes

The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-33500 remote multiple verified

evilaliv3 · 2010-01-11

mini_httpd 1.18 - HTTP Request Escape Sequence Terminal Command Injection

Source code queued for fetch — refresh in a moment.

OS impact

Debian Affected 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Affected	—
forky	Affected	—
bullseye	Affected	—
bookworm	Affected	—

References

https://security-tracker.debian.org/tracker/CVE-2009-4490

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.