[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
LYNX-DEV Lynxexec security hole
|
From: |
Ryan Hung |
|
Subject: |
LYNX-DEV Lynxexec security hole |
|
Date: |
Wed, 18 Dec 1996 17:09:00 -0800 (PST) |
There is a security hole in the lynxexec code, allowing users to
circumvent permitted directories by doing a
lynxexec:/<PERMITTED>/<PATH>/../../bin/csh, which allows them to get shell
access even when shell access is supposed to be disabled. A patch has
been provided on a mailing list for Freenets/CommunityNets in Canada, to
the following effect: in LYGetFile.c:
/*
* Check to see if the supplied paths is allowed to be executed.
*/
PUBLIC BOOLEAN exec_ok ARGS3(CONST char *,source, CONST char *,link, int, type)
{
struct trust *tp;
char CONST *cp;
int Type = type;
if (LYJumpFileURL)
return TRUE;
if (Type == EXEC_PATH) {
tp = trusted_exec;
} else if (Type == ALWAYS_EXEC_PATH) {
tp = always_trusted_exec;
} else if (Type == CGI_PATH) {
tp = trusted_cgi;
} else {
HTAlert(MALFORMED_EXEC_REQUEST);
return FALSE;
}
/* rhung - security patch to prevent users accessing lynxexec's elsewhere */
if (LYstrstr(link, "../") != NULL )
return FALSE;
The last two lines are the patch (with my comments above it), disabling
'../' in the link name.
Ryan.
_/ \__/ \__/ \__/ \__/ \__/ \__/ \__/address@hidden/ \__/ \__/
\_Apoptosis=programmed cell death/ \__/ address@hidden/ \__/ \__
_/ --you can't live without it!/ \__/ \__/ \__/ \__/ \__/ \__/ \__/
\__/ \__/ \__/ \__/ \__/ \__/ \__/ \My words Copyright (C) 1996 \__
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- LYNX-DEV Lynxexec security hole,
Ryan Hung <=