{
  "modified": "2025-08-09T19:01:29Z",
  "published": "2010-01-13T20:30:00Z",
  "id": "CVE-2009-4488",
  "details": "Varnish 2.0.6 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.  NOTE: the vendor disputes the significance of this report, stating that \"This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "http://www.securityfocus.com/bid/37713"
    },
    {
      "type": "EVIDENCE",
      "url": "http://www.ush.it/team/ush/hack_httpd_escape/adv.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/508830/100/0/threaded"
    }
  ],
  "database_specific": {
    "isDisputed": true
  }
}