[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is wea
From: |
T.E.Dickey |
Subject: |
Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is weak |
Date: |
Mon, 22 Nov 1999 12:19:32 -0500 (EST) |
>
> On Mon, 22 Nov 1999, T.E.Dickey wrote:
>
> > it's a followup to a posting where he criticizes _all_ of the special urls.
> >
>
> Yes, there are two nasties that he found. And he's right about both of them.
agreed - but singling out the options form isn't.
> 1) he doesn't just criticize all special URLs (or if he does, ignore
> that part of the banter). It's the verification *by page title* that's
> a problem. He is of course right about that. Of course a page title
> is completely unreliable.
>
> 1a) Well but how many of those title comparisons are really in some way
> "security" relevant? I.e. what exactly depends on the right outcome?
he's saying that all of them are (of course).
> If the maximum result of a misdetection is just a minor annoyance (like,
> a page won't be pushed on the history stack if it has the "wrong" title) -
> who cares that much.
>
> He's looking at "LYNXDIRED://, LYNXDOWNLOAD://, LYNXPRINT:// etc",
> I assume all the stuff where such title comparisons happen - but the only
> thing where he actually claims an exploitable problem is LYNXOPTIONS://.
> I guess that means we're not doing too bad. (Or in other words, use old
> style options menu and you're still safe as far as we know.)
>
> 2) Well, I have to agree that the "secure" field doesn't look secure at all.
> It's not exactly just time(0) as one would think from his description, but
> still... It shouldn't be called "secure". What's more it shouldn't be
> *necessary* to have some "secure" (unguessable) value in the first place.
I don't see why the same rules for validating the internal pages would not
apply equally to all of them. Certainly time() isn't secure, but just a
check that it was generated by that session of lynx.
(but the code that checks titles is repeated in several places - my
inclination would be to consolidate it, and then fix the holes)
>
> > (and worth noting that some of the details don't apply to 2.8.2 - though
> > the first posting does gloss a little over the fact that he's apparently
> > mostly looking at the older versions).
>
> The first message starts with:
>
> "Since 2.7 releases (?), ..."
>
> Which details don't apply to 2.8.2?
he implies that all files in /tmp are automatically insecure.
> Klaus
--
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey