[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev Lynx CRLF Injection (fwd)

From: Bela Lubkin
Subject: Re: lynx-dev Lynx CRLF Injection (fwd)
Date: Mon, 19 Aug 2002 19:27:41 -0700

Ulf Harnhammar wrote:

> Date: Mon, 19 Aug 2002 02:17:04 +0200 (CEST)
> From: Ulf Harnhammar <address@hidden>
> To: address@hidden
> Subject: Lynx CRLF Injection

> If you give Lynx a URL with some special characters on the command
> line, it will include faked headers in the HTTP query. This way,
> you can make scripts that use Lynx for downloading files access
> the wrong site on a web server with multiple virtual hosts.

Ulf --

Do you see this as a security hole to the _user_ who is running Lynx?
Clearly it could be a problem to the server which is being _accessed_
via Lynx; but if so, you aren't actually protecting the server here.  A
malicious user could use `telnet` or `nc` or whatever.  Lynx is by no
means the only tool that can send crazy headers to an HTTP server!

If there's no user exposure, I don't see why this is any sort of
security alert at all.  If it causes a security problem for servers,
those servers are still at risk -- people just have to use
_any other program that does socket I/O_ (including an unpatched Lynx)
to attack those servers.

I accept that this is a legitimate patch to Lynx simply because it
allows users to access pages which might previously have been
inaccessible.  e.g. if the HTTP server -- probably in violation of all
sorts of standards -- actually _does_ have a file named
bar.html", where that line break is an actual newline character, Lynx
users can now access it.

But why the emergency rush delivery of the patch?


; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]