CVE-2009-4490
published 2010-01-13CVE-2009-4490: mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or…
PriorityP265medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.27%
95.1th percentile
mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acme | mini_httpd | — | — |
| debian | mini-httpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x1b]2;<title>\x07
- →Detect HTTP requests containing terminal escape sequences (ESC ] — OSC sequences, 0x1b 0x5d) in the request URI or headers, which mini_httpd logs unsanitized and can inject commands into a terminal emulator viewing the log. ↗
- →Look for URL-encoded escape sequences in HTTP GET requests: %1b (ESC), %5d (]), %07 (BEL) are hallmarks of OSC terminal injection payloads targeting mini_httpd log files. ↗
- →Monitor raw TCP connections to port 80 delivering crafted GET requests with embedded non-printable/escape characters (\x1b, \x07) rather than standard URL-encoded traffic from browsers. ↗
- →Alert on mini_httpd access log entries containing non-printable characters, particularly ESC (0x1b) followed by ] (0x5d), indicating an unsanitized terminal escape sequence was written to the log. ↗
- ·The vulnerability affects mini_httpd 1.19 and thttpd 2.25b; other versions may also be affected. Exploitation requires an attacker to be able to send HTTP requests to the server and a privileged user to view the unsanitized log file in a vulnerable terminal emulator. ↗
- ·The Debian security tracker marks this CVE as open (unpatched) across multiple active releases including bookworm, bullseye, trixie, forky, and sid — deployments on these distributions remain vulnerable. ↗
- ·The scope of exploitation is local in the sense that the terminal injection is triggered when a local user views the log file in a terminal; the initial attack vector is remote (HTTP request). ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vulncheck5.0MEDIUM
vendor_debian5.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cqc7-8rq3-fvw9: mini_httpd 1
ghsa_unreviewed·2022-05-02
CVE-2009-4490 [MEDIUM] CWE-20 GHSA-cqc7-8rq3-fvw9: mini_httpd 1
mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
OSV
CVE-2009-4490: mini_httpd 1
osv·2010-01-13·CVSS 5.0
CVE-2009-4490 [MEDIUM] CVE-2009-4490: mini_httpd 1
mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
VulnCheck
acme mini_httpd Improper Input Validation
vulncheck·2009·CVSS 5.0
CVE-2009-4490 [MEDIUM] acme mini_httpd Improper Input Validation
acme mini_httpd Improper Input Validation
mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
Affected: acme mini_httpd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
Debian
CVE-2009-4490: mini-httpd - mini_httpd 1.19 writes data to a log file without sanitizing non-printable chara...
vendor_debian·2009·CVSS 5.0
CVE-2009-4490 [MEDIUM] CVE-2009-4490: mini-httpd - mini_httpd 1.19 writes data to a log file without sanitizing non-printable chara...
mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
Fortinet
The Ghosts of Mirai | FortiGuard Labs
blogs_fortinet·2021-06-24
The Ghosts of Mirai | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Ghosts of Mirai
By David Maciejak and Joie Salvio | June 24, 2021
FortiGuard Labs Threat Research Report
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.
IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek
Greynoiseio
Malicious Tag Roundup (October 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (October 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2010-01-13
Published
Exploited in the wild