Re: lynx-dev Lynx CRLF Injection (fwd)

[Bela Lubkin]

Ulf Harnhammar wrote:

> Date: Mon, 19 Aug 2002 02:17:04 +0200 (CEST)
> From: Ulf Harnhammar <address@hidden>
> To: address@hidden
> Subject: Lynx CRLF Injection

> SUMMARY:
> 
> If you give Lynx a URL with some special characters on the command
> line, it will include faked headers in the HTTP query. This way,
> you can make scripts that use Lynx for downloading files access
> the wrong site on a web server with multiple virtual hosts.

Ulf --

Do you see this as a security hole to the _user_ who is running Lynx?
Clearly it could be a problem to the server which is being _accessed_
via Lynx; but if so, you aren't actually protecting the server here.  A
malicious user could use `telnet` or `nc` or whatever.  Lynx is by no
means the only tool that can send crazy headers to an HTTP server!

If there's no user exposure, I don't see why this is any sort of
security alert at all.  If it causes a security problem for servers,
those servers are still at risk -- people just have to use
_any other program that does socket I/O_ (including an unpatched Lynx)
to attack those servers.

I accept that this is a legitimate patch to Lynx simply because it
allows users to access pages which might previously have been
inaccessible.  e.g. if the HTTP server -- probably in violation of all
sorts of standards -- actually _does_ have a file named
"http://this-server/foo
bar.html", where that line break is an actual newline character, Lynx
users can now access it.

But why the emergency rush delivery of the patch?

>Bela<

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden