Threat Encyclopedia

Acme.thttpd.and.minihttpd.Command.Injection.Vulnerability

Description

mini_httpd is a small HTTP server. It provides a very light weight solution for low traffic sites.
mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. (CVE-2009-4490)
thttpd 2.25b0 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. (CVE-2009-4491)

Affected Products

mini_httpd versions prior to 1.19
thttpd versions prior to 2.25b

Impact

This vulnerability could allow an attacker to execute arbitrary code on a vulnerable system.

Recommended Actions

Users are advised to update to the latest version.

CVE References

CVE-2009-4491 CVE-2009-4490,