[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
From: |
Andrew Kuchling |
Subject: |
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) |
Date: |
Tue, 24 Jun 1997 10:48:32 -0400 (EDT) |
> When you start up a lynx client session, you can hit "g" (for Goto) and
> then enter the following URL:
> URL to open:
> LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/null
Ouch; the value of File= is trusted and not passed through
quote_pathname()... A patch is included below, but...
> LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdout
> Enter a filename: /dev/stdout
> File exists. Overwrite? (y/n) y
... it won't help for this case. Disallowing entering
LYNXfoo: cookies at the 'g' prompt doesn't help, since a cracker could
just put up an HTML page somewhere with <A HREF="LYNXfoo:...">.
Perhaps there should be a "I generated this document myself" flag for
the document Lynx is viewing; if that flag is false, as for an HTML
document downloaded from a server, LYNXfoo: URLs will be disallowed.
If that's done, there's still the possibility that there's a
way to force the second argument to LYdownload_options(); I can't say
if that's possible or not.
Andrew Kuchling
address@hidden
http://people.magnet.com/%7Eamk/
--- LYDownload.c 1997/06/13 19:52:05 1.1
+++ LYDownload.c 1997/06/24 14:44:34
@@ -46,7 +46,7 @@
int count;
char buffer[256];
char command[256];
- char *cp;
+ char *cp, *cp2;
lynx_html_item_type *download_command=0;
int c, len;
FILE *fp;
@@ -313,8 +313,10 @@
* Prevent spoofing of the shell.
*/
cp = quote_pathname(buffer);
- sprintf(command,"%s %s %s", COPY_PATH, file, cp);
+ cp2 = quote_pathname(file);
+ sprintf(command,"%s %s %s", COPY_PATH, cp2, cp);
FREE(cp);
+ FREE(cp2);
if (TRACE)
fprintf(stderr,"command: %s\n",command);
system(command);
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;