lynx-dev Security holes.

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev Security holes.

From:	art
Subject:	lynx-dev Security holes.
Date:	16 Nov 1998 18:14:38 +0100

The first part is to prevent from attacks/trojans of the type:
<a href="rlogin://foo;address@hidden">foo</a> where the sysadmin doesn't want 
his
users to be able to run a shell. Or
<a href="rlogin://evil|address@hidden">foo</a> where the attacker
has a rlogind (or a login script) that answer with commands that will be
executed on the host running lynx.

The second one are simple fixes for buffer overflows. Of course that's
probably not the way you will fix them because I have not seen any other
use of snprintf in the source. (why not implement an own version?)

Index: HTTelnet.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTelnet.c,v
retrieving revision 1.1.1.1
diff -u -w -u -r1.1.1.1 HTTelnet.c
--- HTTelnet.c  1998/03/11 17:47:47     1.1.1.1
+++ HTTelnet.c  1998/11/16 17:01:35
@@ -73,8 +73,7 @@
         *  *cp=0;  / * terminate at any ;,<,>,`,|,",' or space or return
         *  or tab to prevent security whole
         */
-       for(cp = (strchr(host, '@') ? strchr(host, '@') : host); *cp != '\0';
-               cp++)   {
+       for(cp = host; *cp != '\0'; cp++) {
            if(!isalnum(*cp) && *cp != '_' && *cp != '-' &&
                                *cp != ':' && *cp != '.' && *cp != '@') {
                *cp = '\0';
@@ -165,18 +164,18 @@
 #if defined(unix) || defined(DOSPATH)
 #ifndef TELNET_DONE
        if (login_protocol == rlogin) {
-           sprintf(command, "%s %s%s%s", RLOGIN_COMMAND,
+           snprintf(command, sizeof(command) - 1, "%s %s%s%s", RLOGIN_COMMAND,
                hostname,
                user ? " -l " : "",
                user ? user : "");
 
        } else if (login_protocol == tn3270) {
-           sprintf(command, "%s %s %s", TN3270_COMMAND,
+           snprintf(command, sizeof(command) - 1, "%s %s %s", TN3270_COMMAND,
                hostname,
                port ? port : "");
 
        } else {  /* TELNET */
-           sprintf(command, "%s %s %s", TELNET_COMMAND,
+           snprintf(command, sizeof(command) - 1, "%s %s %s", TELNET_COMMAND,
                hostname,
                port ? port : "");
        }

[Prev in Thread]

Current Thread

[Next in Thread]

lynx-dev Security holes., art <=
- Re: lynx-dev Security holes., dickey, 1998/11/17
- Re: lynx-dev Security holes., Klaus Weide, 1998/11/17

Prev by Date: lynx-dev Help!
Next by Date: Re: lynx-dev lynx2.8.2dev.3
Previous by thread: lynx-dev Help!
Next by thread: Re: lynx-dev Security holes.
Index(es):
- Date
- Thread