[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Lynx CRLF Injection (fwd)
From: |
Bela Lubkin |
Subject: |
Re: lynx-dev Lynx CRLF Injection (fwd) |
Date: |
Mon, 19 Aug 2002 19:27:41 -0700 |
Ulf Harnhammar wrote:
> Date: Mon, 19 Aug 2002 02:17:04 +0200 (CEST)
> From: Ulf Harnhammar <address@hidden>
> To: address@hidden
> Subject: Lynx CRLF Injection
> SUMMARY:
>
> If you give Lynx a URL with some special characters on the command
> line, it will include faked headers in the HTTP query. This way,
> you can make scripts that use Lynx for downloading files access
> the wrong site on a web server with multiple virtual hosts.
Ulf --
Do you see this as a security hole to the _user_ who is running Lynx?
Clearly it could be a problem to the server which is being _accessed_
via Lynx; but if so, you aren't actually protecting the server here. A
malicious user could use `telnet` or `nc` or whatever. Lynx is by no
means the only tool that can send crazy headers to an HTTP server!
If there's no user exposure, I don't see why this is any sort of
security alert at all. If it causes a security problem for servers,
those servers are still at risk -- people just have to use
_any other program that does socket I/O_ (including an unpatched Lynx)
to attack those servers.
I accept that this is a legitimate patch to Lynx simply because it
allows users to access pages which might previously have been
inaccessible. e.g. if the HTTP server -- probably in violation of all
sorts of standards -- actually _does_ have a file named
"http://this-server/foo
bar.html", where that line break is an actual newline character, Lynx
users can now access it.
But why the emergency rush delivery of the patch?
>Bela<
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden
- lynx-dev Lynx CRLF Injection (fwd), Ulf Harnhammar, 2002/08/19
- Re: lynx-dev Lynx CRLF Injection (fwd),
Bela Lubkin <=
- Re: lynx-dev Lynx CRLF Injection (fwd), Ulf H{rnhammar, 2002/08/20
- Re: lynx-dev Lynx CRLF Injection (fwd), pg, 2002/08/20
- Re: lynx-dev Lynx CRLF Injection (fwd), tg, 2002/08/20
- Re: lynx-dev Lynx CRLF Injection (fwd), Ulf H{rnhammar, 2002/08/20
- Re: lynx-dev Lynx CRLF Injection (fwd), Ulf H{rnhammar, 2002/08/21
- Re: lynx-dev Lynx CRLF Injection (fwd), Ulf H{rnhammar, 2002/08/21