cbcvebase.
CVE-2009-4490
published 2010-01-13

CVE-2009-4490: mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or…

PriorityP265medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.27%
95.1th percentile
mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Affected

2 ranges
VendorProductVersion rangeFixed in
acmemini_httpd
debianmini-httpd

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
commandecho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
bytes
\x1b]2;<title>\x07
  • Detect HTTP requests containing terminal escape sequences (ESC ] — OSC sequences, 0x1b 0x5d) in the request URI or headers, which mini_httpd logs unsanitized and can inject commands into a terminal emulator viewing the log.
  • Look for URL-encoded escape sequences in HTTP GET requests: %1b (ESC), %5d (]), %07 (BEL) are hallmarks of OSC terminal injection payloads targeting mini_httpd log files.
  • Monitor raw TCP connections to port 80 delivering crafted GET requests with embedded non-printable/escape characters (\x1b, \x07) rather than standard URL-encoded traffic from browsers.
  • Alert on mini_httpd access log entries containing non-printable characters, particularly ESC (0x1b) followed by ] (0x5d), indicating an unsanitized terminal escape sequence was written to the log.
  • ·The vulnerability affects mini_httpd 1.19 and thttpd 2.25b; other versions may also be affected. Exploitation requires an attacker to be able to send HTTP requests to the server and a privileged user to view the unsanitized log file in a vulnerable terminal emulator.
  • ·The Debian security tracker marks this CVE as open (unpatched) across multiple active releases including bookworm, bullseye, trixie, forky, and sid — deployments on these distributions remain vulnerable.
  • ·The scope of exploitation is local in the sense that the terminal injection is triggered when a local user views the log file in a terminal; the initial attack vector is remote (HTTP request).

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vulncheck5.0MEDIUM
vendor_debian5.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.