SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Apache Vendors:   Apache Software Foundation
Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files
SecurityTracker Alert ID:  1007557
SecurityTracker URL:  http://securitytracker.com/id/1007557
CVE Reference:   CAN-2003-0083, CAN-2003-0020   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Aug 22 2003
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Prior to 1.3.25 and 2.0.46
Description:   A potential security issue was reported in the Apache web server. The server does not filter terminal escape sequences from the log files.

[Originally reported in April 2003]

It is reported that the Apache web server does not filter terminal escape sequences from the access logs (CVE: CAN-2003-0083) and error logs (CVE: CAN-2003-0020). A remote user can request a specially crafted URL to cause the web server to log malicious escape sequences to the log files. Then, if a target user views the log files with certain terminal applications, the escape sequences may be executed by the target user's terminal application.
Impact:   If a target user views the log files using certain terminal applications and a remote user has caused the server to log certain escape sequences, the terminal application may execute the escape sequences.

[Editor's note: This security weakness does not affect the Apache web server by itself or any software distributed with Apache. This security weakness is only an issue if certain terminal applications are used to view the log files.]
Solution:   The vendor released fixed versions (1.3.25 and 2.0.46), available at:

http://httpd.apache.org/
Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 23 2003 (Red Hat Issues Fix for RH Enterprise Linux) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux.
Apr 1 2004 (Trustix Issues Fix) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (Trustix Security Advisor <tsl@trustix.org>)
Trustix has released a fix.
Apr 14 2004 (Conectiva Issues Fix) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (Conectiva Updates <secure@conectiva.com.br>)
Conectiva has released a fix.
Apr 26 2004 (HP Issues Fix for HP-UX) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files
HP has issued a fix for HP-UX.
May 4 2004 (Apple Issues Fix for OS X) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (Apple Product Security <product-security@apple.com>)
Apple has released a fix for Mac OS X.
May 13 2004 (Slackware Issues Fix) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (Slackware Security Team <security@slackware.com>)
Slackware has released a fix.
May 18 2004 (Mandrake Issues Fix) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
May 20 2004 (Mandrake Issues Fix for mod_perl) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has issued a fix for mod_perl.
May 25 2004 (Fedora Issues Fix) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (Joe Orton <jorton@redhat.com>)
Fedora has released a fix for Fedora Core 1 (FC1).
May 26 2004 (Gentoo Issues Fix) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files   (Kurt Lieber <klieber@gentoo.org>)
Gentoo has released a fix.
Jun 11 2004 (HP Issues Fix for Tru64) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files
HP has issued patches.
Sep 10 2004 (Sun Issues Fix) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files
Sun has issued a fix for Solaris 9.
Dec 2 2004 (Apple Issues Fix for OS X) Apache Web Server Does Not Filter Terminal Escape Sequences From Log Files
Apple has issued a fix for Apache on Mac OS X.


 Source Message Contents
Date:  Wed, 20 Aug 2003 12:19:30 -0400
Subject:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0083


09-APR-03 RHSA-2003:139-07

 > Apache 2.0 does not filter terminal escape sequences from its access logs,
 > which could make it easier for attackers to insert those sequences into
 > terminal emulators containing vulnerabilities related to escape sequences.
 >
 > Apache does not filter terminal escape sequences from its error logs, which
 > could make it easier for attackers to insert those sequences into terminal
 > emulators containing vulnerabilities related to escape sequences.

CVE: CAN-2003-0083

Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46.

References 	

http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_log_config.c?only_with_tag=APACHE_1_3_25

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/loggers/mod_log_config.c?only_with_tag=APACHE_2_0_BRANCH


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC