3 comments

[ 4.1 ms ] story [ 24.1 ms ] thread
So... Their problem is that log files don't filter out VT100 escape sequences by default?

This is not a terribly serious bug...

Does anyone's VT100 emulator support the answerback function these days?

Terminal on OS X doesn't seem to. I think I remember in the dark ages there were some that let you set the answerback message remotely, but I suspect people figured out that was a bad idea.

Ah, but who among us didn't embed a CTRL-E in our "you are about to be idle killed" messages and set our answerback messages to "".

Fortunately he put the only correct response to this nonsense right in there - saves me some typing. Quote from the varnish team:

This is not a security problem in Varnish or any other piece of software which writes a logfile.

The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.

This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. (Diku.dk). Since then, nothing much have changed.

The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology.

I admit that listing "found a security hole in all HTTP-related programs that write logfiles" will look more impressive on a resume, but I think it is misguided and a sign of trophy-hunting having overtaken common sense.

Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all.