Bugtraq mailing list archives
Re: Another day, another race - lynx 2.7.1
From: djr () NARNIA N ML ORG (Daniel Reed)
Date: Tue, 17 Mar 1998 18:47:18 -0500
On Tue, 17 Mar 1998, Michal Zalewski wrote: ) I (?) found /tmp race in lynx 2.7.1. Another stupid program, which uses ) global /tmp directory instead of environment variable TMPDIR... When lynx ) downloads something, happily uses /tmp/L{seq number}{pid}TMP.{contents ) extension}. When downloading is done, it creates new file, /tmp/L{last ) number+1}{pid}TMP.html file, which contains html with options like 'Save ) to disk' and will be displayed. Of course it's created unsafely, and may be ) easily exploited to overwrite files or pass your own data to lynx... Eg. ) you may change default 'Save to disk' href to: [...] ) Fools, fools, fools!!! This is NOT a single-task, single-user environment. ) Rewrite this function or remove it; use mkstemp instead. This is why I, as well as most other people (I'm assuming), changed the following section of userdefs.h: /************************** * A place to put temporary files, it's almost always in "/tmp/" * for UNIX systems. If you include "$USER" in the definition * (e.g., "/tmp/$USER"), Lynx will replace the "$USER" with the * username of the account which invoked the Lynx image. Such * directories should already exist, and have protections/ACLs set * so that only the appropriate user(s) will have read/write access. * If the path includes a tilde (e.g, "~" or "~/lynxtmp"), Lynx will * replace the tilde with the full path for the user's home. * The definition here can be overridden at run time by setting a * "LYNX_TEMP_SPACE" environment symbol. */ #define TEMP_SPACE "/tmp/" My TEMP_SPACE is set at "~" so unless the users' home directories are world writable, it isn't a problem (and if the home directories are world writeable, that user has other, more significant problems than just having people able to disrupt his lynx session). That snipped of userdefs.h (which you are recommended to review in step 1 of the INSTALLATION file) is from lynx2.8rel.3, though I clearly recall setting that similarly when I installed lynx2.7.2 (and I don't see anything in docs/CHANGES2.7 to indicate anything had changed with regards to this from 2.7.1 to 2.7.2). -- Daniel Reed <n () narnia n ml org> (3CE060DD) System administrator at large... A computer without Windows is like a fish without a bicycle
Current thread:
- Ascend Kill II - C version Aleph One (Mar 16)
- Ascend Filter Setup Mark Schaefer (Mar 16)
- Bash: Security problem during compilation time. Alexandre Stervinou (Mar 16)
- Another day, another race - lynx 2.7.1 Michal Zalewski (Mar 17)
- Ascend Kill II - perl version Kit Knox (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Thomas Roessler (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Theo de Raadt (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Daniel Reed (Mar 17)
- Re: LinCity Buffer Overflow John Goerzen (Mar 17)
- Very, very ugly remote lynx 2.7.1 hole Michal Zalewski (Mar 17)
- Re: Very, very ugly remote lynx 2.7.1 hole Lumpy Lynx (Mar 17)