QID 730131

Date Published: 2021-07-14

QID 730131: ACME Labs mini_httpd Log Escape Sequence Injection Vulnerability

mini_httpd is a small HTTP server. Its performance is not great, but for low or medium traffic sites it's quite adequate. It implements all the basic features of an HTTP server.

mini_httpd writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Affected Versions:
mini_httpd version 1.19

QID Detection Logic (Unauthenticated):
This QID Checks for the vulnerable versions based on the exposed banner information under the HTTP service.

Successful exploitation allows remote attackers to modify a window title, or possibly execute arbitrary commands or overwrite files.

CVSS V3 rated as Medium - 5.3 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

This vulnerability have been patched in ACME Updates. Refer to new versions mini_httpd.

Vendor References

mini_httpd - acme.com/software/mini_httpd

CVEs related to QID 730131

CVE-2009-4490 |

Software Advisories

Advisory ID	Software	Component	Link
mini_httpd			www.acme.com/software/mini_httpd/

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].