PuTTY vulnerability vuln-window-title

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Window title reports offer opportunities for mischief
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.52 2001-11-24
present-in: 0.53 0.53b
fixed-in: 2003-04-13 4b6ffd99f1b22dde0e95fe5a6b63ed7f16584ee5 (0.54)

It's been suggested that window-title reports might be a bad idea, since they allow anyone who can generate arbitrary output to a terminal to cause almost-arbitrary input from it. The various other terminal reports supported by PuTTY are less of a problem because their formats are rather more constrained.

PuTTY should probably make window-title reporting support optional and have it default to off.

This vulnerability corresponds to CVE-2003-0069.

SGT, 2003-04-12: Just fixed this.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-03-21 07:16:27 +0000)