[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV Alleged Lynx security emergency
From: |
Jim Dennis |
Subject: |
Re: LYNX-DEV Alleged Lynx security emergency |
Date: |
Mon, 30 Jun 1997 23:50:54 -0700 |
> Dear Lynx-dev,
>
> There is a story making the rounds that CERT, the Computer Emergency
> Response Team at Carnegie-Mellon, has spotted a security vulnerability
> in the -Lynx- (text-only) browser. Is this true? I note that there is no
> advisory to this effect in comp.security.announce.
The alleged "emergency" was the detection of a way
by which someone could construct a URL that would bypass
some of the restrictions that one might put on a "public
lynx" account.
In other words a user who was supposed to be "restricted"
to lynx only access might trick lynx into running a shell
command.
> The reason why I am raising the issue is that a major local online
> system, called "Sailor," has put an electronic block in its Lynx Internet
> service, thinking that the block will somehow protect it from this
> [alleged] Lynx bug.
Does this service provide "shell" access (like most of the
"freenets (TM?)")?
If so than there is no reason that I know of to deny shell
users access to lynx. (Lynx is not installed SUID and wouldn't
grant a user any privileges beyond their normal user access).
Does this service provide a "public lynx" account (i.e. an
anonymous access to the lynx browser)?
If so, than they may want to disable this service -- or they
may want to simply configure it to run in a chroot "jail"
as the user "nobody" (or under some other unprivileged "psuedo-
user" account).
I think Fote's latest patches incorporate fixes for the
particular problem in question (go through the archives of
this list for the last week or so) -- however I'd suggest
running an anonymous account in a chroot jail in any event.
Look for Wietse Venema's 'chrootuid' program -- can help
with the whole process.
If "sailor" needs help configuring a chroot jail for
their copy of Lynx I might be willing to do it 'gratis'
-- if it's for a "good cause."
> Yours,
> Tom Jones
--
Jim Dennis, address@hidden
Proprietor, address@hidden
Starshine Technical Services http://www.starshine.org
PGP 1024/2ABF03B1 Jim Dennis <address@hidden>
Key fingerprint = 2524E3FEF0922A84 A27BDEDB38EBB95A
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;