[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
From: |
Wayne Buttles |
Subject: |
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) |
Date: |
Tue, 24 Jun 1997 11:18:32 -0400 (EDT) |
On Tue, 24 Jun 1997, H E Nelson wrote:
> > subscribed to the raven list :) So, here it is in case nobody's seen
> > it yet.
I got the original, but thought everyone did. Should raven just point at
address@hidden ?
> > URL to open:
> > LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/null
> > Enter a filename: /dev/null
> > File exists. Overwrite? (y/n) y
> >
> > This then gives a shell on the client machine on which the lynx process is
> > executing.
>
> On my pubLynx, it does appear that a shell was created. Not only that, I
> found that by using certain control keys (the terminal was initially locked
> to regular keys), I could create any number of shells after that.
On my pc the terminal is not locked up, my keystrokes are just invisable.
This is a sticky one...LYNXDOWNLOAD does a system() call which purposfully
calls /bin/sh to do its dirty work. We can easily write in a filter for
future versions and maybe use exec() instead, but for the life of me I
can't think of a fix for old versions.
If the account is stuck in a chroot jail with sh, lynx, cp and nothing
else...can they be dangerous?
Wayne
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Duncan Hill, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Scott McGee (Personal), 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Robert Bonomi, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Scott McGee (Personal), 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Foteos Macrides, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Robert Bonomi, 1997/06/24