[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor
[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Fri, 28 Oct 2005 16:10:01 -0400
The advisory lists the following vulnerable vendors, which have the
option compiled in by default, and the 2 BSD vendors without it.
The affected vendors also have /etc/lynx.cfg files which do not set any
options for the lynxcgi: handler.
The following vendors include susceptible Lynx packages within their
* Red Hat Inc.
* Gentoo Foundation Inc.
* Mandriva SA
Other vendors are suspected as also being vulnerable. The following
vendors include Lynx packages that are not susceptible to exploitation
as the "lynxcgi" feature is not compiled into Lynx by default:
* The FreeBSD Project
I'm not sure what an appropriate fix would be, but potentially a warning
dialog to the user they are about to execute a local program might be
appropriate. Another change I could think of would be to default to
allow nothing to be executed, instead of default to allow all. If the
user wants to execute something, they must add it.
From: Thomas Dickey [mailto:address@hidden
Sent: Friday, October 28, 2005 3:31 PM
Subject: RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor
Command Injection Vulnerability
On Fri, 28 Oct 2005, vendor-disclosure wrote:
> Sorry, the report should have been attached to the last email. Let me
> if it doesn't arrive this time.
ok. I have it.
As I read it, it notes that the upstream source does not have the
enabled by default. Also the feature normally would not be enabled in
lynx.cfg file (reading the source code).
Is there any change required to upstream source (there's not enough
information about the "configuration error on multiple platforms"), or
this aimed at changing lynx.cfg files that have been customized by
> I have also attached a PoC exploit.
thanks (will see)
Thomas E. Dickey