lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV Alleged Lynx security emergency

From: Jim Dennis
Subject: Re: LYNX-DEV Alleged Lynx security emergency
Date: Mon, 30 Jun 1997 23:50:54 -0700 
 
> Dear Lynx-dev,
> 
> There is a story making the rounds that CERT, the Computer Emergency 
> Response Team at Carnegie-Mellon, has spotted a security vulnerability 
> in the -Lynx- (text-only) browser. Is this true? I note that there is no 
> advisory to this effect in comp.security.announce.

        The alleged "emergency" was the detection of a way 
        by which someone could construct a URL that would bypass
        some of the restrictions that one might put on a "public 
        lynx" account.

        In other words a user who was supposed to be "restricted"
        to lynx only access might trick lynx into running a shell
        command.  

> The reason why I am raising the issue is that a major local online 
> system, called "Sailor," has put an electronic block in its Lynx Internet 
> service, thinking that the block will somehow protect it from this 
> [alleged] Lynx bug.

        Does this service provide "shell" access (like most of the
        "freenets (TM?)")?

        If so than there is no reason that I know of to deny shell
        users access to lynx.  (Lynx is not installed SUID and wouldn't
        grant a user any privileges beyond their normal user access).

        Does this service provide a "public lynx" account (i.e. an
        anonymous access to the lynx browser)?

        If so, than they may want to disable this service -- or they 
        may want to simply configure it to run in a chroot "jail" 
        as the user "nobody" (or under some other unprivileged "psuedo-
        user" account).

        I think Fote's latest patches incorporate fixes for the 
        particular problem in question (go through the archives of 
        this list for the last week or so) -- however I'd suggest
        running an anonymous account in a chroot jail in any event.
        Look for Wietse Venema's 'chrootuid' program -- can help
        with the whole process.

        If "sailor" needs help configuring a chroot jail for 
        their copy of Lynx I might be willing to do it 'gratis'
        -- if it's for a "good cause."
 
> Yours,
> Tom Jones

--
Jim Dennis,                                address@hidden
Proprietor,                          address@hidden
Starshine Technical Services              http://www.starshine.org

        PGP  1024/2ABF03B1 Jim Dennis <address@hidden>
        Key fingerprint =  2524E3FEF0922A84  A27BDEDB38EBB95A 
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]