lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is wea


From: T.E.Dickey
Subject: Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is weak
Date: Mon, 22 Nov 1999 12:19:32 -0500 (EST)

> 
> On Mon, 22 Nov 1999, T.E.Dickey wrote: 
>  
> > it's a followup to a posting where he criticizes _all_ of the special urls. 
> >  
>  
> Yes, there are two nasties that he found.  And he's right about both of them. 

agreed - but singling out the options form isn't.
  
> 1) he doesn't just criticize all special URLs (or if he does, ignore 
> that part of the banter).  It's the verification *by page title* that's 
> a problem.   He is of course right about that.  Of course a page title 
> is completely unreliable. 
>  
> 1a) Well but how many of those title comparisons are really in some way 
> "security" relevant?  I.e. what exactly depends on the right outcome? 

he's saying that all of them are (of course).

> If the maximum result of a misdetection is just a minor annoyance (like, 
> a page won't be pushed on the history stack if it has the "wrong" title) - 
> who cares that much. 
>  
> He's looking at "LYNXDIRED://, LYNXDOWNLOAD://, LYNXPRINT:// etc", 
> I assume all the stuff where such title comparisons happen - but the only 
> thing where he actually claims an exploitable problem is LYNXOPTIONS://. 
> I guess that means we're not doing too bad.  (Or in other words, use old 
> style options menu and you're still safe as far as we know.) 
>  
> 2) Well, I have to agree that the "secure" field doesn't look secure at all. 
> It's not exactly just time(0) as one would think from his description, but 
> still...   It shouldn't be called "secure".  What's more it shouldn't be 
> *necessary* to have some "secure" (unguessable) value in the first place. 


I don't see why the same rules for validating the internal pages would not
apply equally to all of them.  Certainly time() isn't secure, but just a
check that it was generated by that session of lynx.

(but the code that checks titles is repeated in several places - my
inclination would be to consolidate it, and then fix the holes)

  
>  
> > (and worth noting that some of the details don't apply to 2.8.2 - though 
> > the first posting does gloss a little over the fact that he's apparently 
> > mostly looking at the older versions). 
>  
> The first message starts with: 
>  
> "Since 2.7 releases (?), ..." 
>  
> Which details don't apply to 2.8.2? 

he implies that all files in /tmp are automatically insecure.
  
>   Klaus 


-- 
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey

reply via email to

[Prev in Thread] Current Thread [Next in Thread]