Re: LYNX-DEV Alleged Lynx security emergency

[Foteos Macrides]

Wayne Buttles <address@hidden> wrote:
>On Tue, 1 Jul 1997, Foteos Macrides wrote:
>
>> Wayne's posted patch ...
>
>I don't remember posting any patch, although I have always wondered if I
>had multiple personalities that were virtually the same...that would
>explain the lack of short term memory ;-)

        It it wasn't you, then perhaps it was Andrew and my faulty
memory.  Anyway, someone posted a patch for quoting the File= value,
and pointed out that it won't help with the other example of using
a spoofing LYNXDOWNLOAD: URL for getting the password file (which is
why I didn't do the mods that way :).


>I just tried it as a straight user which failed to modify /dev/null.  I
>then tried it as root su'd as a user which DID modify /dev/null.
>
>As to what is causing the file to change...I think this is where that
>actually happens (from LYDownload.c): 
>
>        /* see if we can write to it */
>        if ((fp = fopen(buffer,"w")) != NULL) {
>            fclose(fp);
>            remove(buffer);
>        } else {
>            HTAlert(CANNOT_WRITE_TO_FILE);
>            _statusline(NEW_FILENAME_PROMPT);
>            FirstRecall = TRUE;
>            FnameNum = FnameTotal;
>            goto retry;
>        }

        I'm not sure what you mean by "it".  I'm the one who trashed
Scott's /dev/null trying out the spoofing LYNXDOWNLOAD: URL running
Lynx from a non-privileged account.  Are you saying that an
   fd = fopen("/dev/null", "w"); fclose(fd); remove("/dev/null");
sequence doing that, if that's it (haven't tried it explicitly :),
is normal on Unix, and if not, how did I do it? 


>> Also, the invoked shell has strange terminal characteristics, which you
>> can almost but not quite clean up with ^Jstty sane^J^J.  When I tried a
>> spoofing URL which yields system("/bin/cp foo bar;exec $SHELL; bar"); 
>> where foo exists so there is no cp error, it still gave me a shell with
>> strange terminal characteristics. 
>
>Just conjecture, but it may just be the mode lynx leaves the keyboard in
>that causes the strange terminal characteristics.

        Yes, that must be it.  That system() call in LYDownload.c isn't
preceded by a stop_curses().

                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;