[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is wea
Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is weak
Mon, 22 Nov 1999 10:11:00 -0600 (CST)
On Mon, 22 Nov 1999, T.E.Dickey wrote:
> it's a followup to a posting where he criticizes _all_ of the special urls.
Yes, there are two nasties that he found. And he's right about both of them.
1) he doesn't just criticize all special URLs (or if he does, ignore
that part of the banter). It's the verification *by page title* that's
a problem. He is of course right about that. Of course a page title
is completely unreliable.
1a) Well but how many of those title comparisons are really in some way
"security" relevant? I.e. what exactly depends on the right outcome?
If the maximum result of a misdetection is just a minor annoyance (like,
a page won't be pushed on the history stack if it has the "wrong" title) -
who cares that much.
He's looking at "LYNXDIRED://, LYNXDOWNLOAD://, LYNXPRINT:// etc",
I assume all the stuff where such title comparisons happen - but the only
thing where he actually claims an exploitable problem is LYNXOPTIONS://.
I guess that means we're not doing too bad. (Or in other words, use old
style options menu and you're still safe as far as we know.)
2) Well, I have to agree that the "secure" field doesn't look secure at all.
It's not exactly just time(0) as one would think from his description, but
still... It shouldn't be called "secure". What's more it shouldn't be
*necessary* to have some "secure" (unguessable) value in the first place.
> (and worth noting that some of the details don't apply to 2.8.2 - though
> the first posting does gloss a little over the fact that he's apparently
> mostly looking at the older versions).
The first message starts with:
"Since 2.7 releases (?), ..."
Which details don't apply to 2.8.2?