CVE-2009-4611

Name of the Vulnerable Software and Affected Versions Mort Bay Jetty versions 6.x through 6.1.22 Mort Bay Jetty versions 7.0.0

Description The issue allows remote attackers to potentially modify a window's title, execute arbitrary commands, or overwrite files via an HTTP request containing an escape sequence for a terminal emulator. This is related to the handling of specific parameters and headers, including the Age parameter in the Cookie Dump Servlet, the A parameter in jsp/expr.jsp, and the Content-Length HTTP header.

Recommendations For Mort Bay Jetty versions 6.x through 6.1.22, update to a version later than 6.1.22 to resolve the issue. For Mort Bay Jetty version 7.0.0, update to a version later than 7.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the Cookie Dump Servlet and jsp/expr.jsp to minimize the risk of exploitation. Avoid using the Age parameter in the Cookie Dump Servlet and the A parameter in jsp/expr.jsp until the issue is resolved. Restrict the handling of the Content-Length HTTP header in arbitrary applications to prevent potential exploitation.