PuTTY vulnerability vuln-window-title

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Window title reports offer opportunities for mischief
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.52 2001-11-24
present-in: 0.53 0.53b
fixed-in: 2003-04-13 (0.54) (0.55) (0.56) (0.57) (0.58) (0.59) (0.60) (0.61) (0.62) (0.63) (0.64)

It's been suggested that window-title reports might be a bad idea, since they allow anyone who can generate arbitrary output to a terminal to cause almost-arbitrary input from it. The various other terminal reports supported by PuTTY are less of a problem because their formats are rather more constrained.

PuTTY should probably make window-title reporting support optional and have it default to off.

This vulnerability corresponds to CVE-2003-0069 .

SGT, 2003-04-12: Just fixed this.

Audit trail for this vulnerability.


If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2004-10-07 01:21:40 +0000)