PT-2010-1351 · Orion · Orion Application Server

Alessandro Tanasi

Published

2010-01-13

Updated

2018-10-10

CVE-2009-4493

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Orion Application Server version 2.0.7

Description The issue allows remote attackers to potentially modify a window's title or execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator, as the software writes data to a log file without sanitizing non-printable characters.

Recommendations For Orion Application Server version 2.0.7, consider disabling the logging feature to the terminal emulator until a patch is available, and restrict access to the log files to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2009-4493

Affected Products

Orion Application Server

PT-2010-1351 · Orion · Orion Application Server

CVE-2009-4493

Weakness Enumeration

Related Identifiers

Affected Products

References · 4