[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor

From: Thomas Dickey
Subject: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Date: Fri, 28 Oct 2005 16:22:39 -0400 (EDT)

On Fri, 28 Oct 2005, Greg MacManus wrote:

The advisory lists the following vulnerable vendors, which have the
option compiled in by default, and the 2 BSD vendors without it.

I understood that (checked GenToo's ebuild - the other two would take more work to dig out).

I'm not sure what an appropriate fix would be, but potentially a warning
dialog to the user they are about to execute a local program might be
appropriate. Another change I could think of would be to default to
allow nothing to be executed, instead of default to allow all. If the
user wants to execute something, they must add it.

That's probably suitable for novice mode (the default), or intermediate. For advanced mode lynx shows the url in the status line, so a message would be redundant.

I'm reviewing the TRUSTED_LYNXCGI logic to see if it is behaving as it is documented, in case there is some misconception to address.

Thomas E. Dickey

reply via email to

[Prev in Thread] Current Thread [Next in Thread]