Re: lynx-dev Lynx CRLF Injection (fwd)

[Ulf H{rnhammar]

On Tue, Aug 20, 2002 at 06:41:39AM -0600, address@hidden wrote:
> I agree with Bela that security of a server should be the responsibility
> of the server.  Any attempt to enforce server security by restrictions
> on clients ultimately restricts my freedom to program my own computer,
> to which I have strong philosophical objections.

Yes, I agree. My advisory is about the client/user side (although this hole
can be used for attacking servers). It allows clients to break out of
realms:

$ lynx -realm "http://www.site1.st/ HTTP/1.0
Host: www.site2.st

"

will show site2.st, despite the fact that it is outside of the realm.

As I wrote in the advisory, it can be used to escape restrictions that programs
that run Lynx, either interactively or not, set up. It can be used for sending
arbitrary cookies and user agents, all via strange URL's. URL's don't have a
cookie part, so being able to set cookies from a URL is a bug.

> But Ulf appears to be concerned that this hole may thwart administrators'
> intent to restrict users to a captive environment, which is a legitimate
> concern.

Yes.

> > telnet and netcat don't handle URL's. Lynx does.
> Nonsense.  Telnet handles any stream of characters the user cares to type,
> including the path part of a URL.  I've readily used telnet to access
> WWW servers.  This can be as simple as:
> 
>     telnet www 80
>     GET /

Yes, I did know that. (You're using HTTP/0.9, by the way, and it's really old.)
You can use netcat or telnet to connect to a web server, but those programs
don't understand URL's. netcat doesn't know what to do with the string
"http://www.site1.st/";, while Lynx does. Lynx should transform the URL to the
correct query in the HTTP protocol, but because of this bug, it is possible
to break out of that transformation and affect the headers themselves, which
causes all kinds of problems.

// Ulf Harnhammar

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden