[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev Lynx CRLF Injection (fwd)

From: pg
Subject: Re: lynx-dev Lynx CRLF Injection (fwd)
Date: Tue, 20 Aug 2002 06:41:39 -0600 (MDT)

In a recent note, Ulf H{rnhammar said:

> Date: Tue, 20 Aug 2002 08:48:43 +0200
> On Mon, Aug 19, 2002 at 07:27:41PM -0700, Bela Lubkin wrote:
> > If there's no user exposure, I don't see why this is any sort of
> > security alert at all.  If it causes a security problem for servers,
> > those servers are still at risk -- people just have to use
> > _any other program that does socket I/O_ (including an unpatched Lynx)
> > to attack those servers.
I agree with Bela that security of a server should be the responsibility
of the server.  Any attempt to enforce server security by restrictions
on clients ultimately restricts my freedom to program my own computer,
to which I have strong philosophical objections.

> Read the second paragraph of Technical Details again. It allows people to
> break out of restrictions, which is what security holes are all about.
But Ulf appears to be concerned that this hole may thwart administrators'
intent to restrict users to a captive environment, which is a legitimate

> telnet and netcat don't handle URL's. Lynx does.
Nonsense.  Telnet handles any stream of characters the user cares to type,
including the path part of a URL.  I've readily used telnet to access
WWW servers.  This can be as simple as:

    telnet www 80
    GET /

(I just tried it; it returned the HTML source of the home page of our server.)

-- gil

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]