Re: lynx-dev FWD: www.infilsec.com - Bugs: lynx tempfile predictable

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev FWD: www.infilsec.com - Bugs: lynx tempfile predictable

From:	Philip Webb
Subject:	Re: lynx-dev FWD: www.infilsec.com - Bugs: lynx tempfile predictable
Date:	Fri, 1 Jan 1999 04:31:40 -0500 (EST)

981231 Leonid Pauzner wrote: 
>> Subject: Infilsec - Bugs: lynx tempfile predictable
>> X-URL: http://www.infilsec.com/cgi-infilsec/if?action=generate&key=00059
> Why not avoiding symlinks at /tmp/ or this was fixed long ago?

this was cured for 2-8 , ie by 980301.

>>    Infilsec
>>    lynx tempfile predictable
>>    Record Created: Wed Dec 30 16:25:49 1998
>>    Last Modified: Wed Dec 30 16:25:49 1998
>> all versions of Lynx (tested on 2.7.1, Linux)

NB: it would be very irresponsible of Infilsec to advertise a bug
without making certain they were using the latest version of the software
(subjunctive mood intentional). 

>> Local users can gain other user accounts
>> Author: fflush
>> The same problem present in Elm 2.4 PL24 and earlier
>> is present in all versions of Lynx (tested on 2.7.1, Linux).
                 ^^^                   ^^^^^^^^^^^^^^^
the latest Lynx is 2-8-1 available from  www.slcc.edu/lynx/release/ .
                 
>> When a lynx user D)ownloads a file,
>> a temporary file with a predictable name is created to store the file
>> until it is completely downloaded. -- snip --
>> Lynx doesn't check for previous existence of this file,
>> and *will* write to symlinks.

this behaviour was corrected.

>> Any local user can create a symbolic link (or hard link, for that matter)
>> with this predictable name to one of the Lynx user's files,
>> and when this user D)ownloads something, his file will be overwritten
>> by whatever he was downloading.  -- snip --

IMHO there is reason to question whether this is possible
on an up-to-date & well-managed UNIX system like this one (at U Toronto),
where users have no ability to choose symlink permissions in  /tmp
& the permissions actually allowed rule out such malicious behaviour.

-- 
========================,,============================================
SUPPORT     ___________//___,  Philip Webb : address@hidden
ELECTRIC   /] [] [] [] [] []|  Centre for Urban & Community Studies
TRANSIT    `-O----------O---'  University of Toronto

[Prev in Thread]

Current Thread

[Next in Thread]

Re: lynx-dev FWD: www.infilsec.com - Bugs: lynx tempfile predictable, Philip Webb <=
- Re: lynx-dev FWD: www.infilsec.com - Bugs: lynx tempfile predictable, Klaus Weide, 1999/01/01

Prev by Date: Re: missing patches: Re: lynx-dev LYNX: cursor showing strangely on screen in newest version
Next by Date: lynx-dev Re: LYNX: cursor showing strangely on screen in newest version
Previous by thread: lynx-dev Any word on status of extended text entry fields?
Next by thread: Re: lynx-dev FWD: www.infilsec.com - Bugs: lynx tempfile predictable
Index(es):
- Date
- Thread