Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Ve

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Ve

From:	Thomas Dickey
Subject:	Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Date:	Fri, 28 Oct 2005 20:35:14 -0400 (EDT)

On Fri, 28 Oct 2005, Thomas Dickey wrote:

On Fri, 28 Oct 2005, Greg MacManus wrote:

I'm not sure what an appropriate fix would be, but potentially a warning
dialog to the user they are about to execute a local program might be
appropriate. Another change I could think of would be to default to
allow nothing to be executed, instead of default to allow all. If the
user wants to execute something, they must add it.

That's probably suitable for novice mode (the default), or intermediate. Foradvanced mode lynx shows the url in the status line, so a message would beredundant.


I put a patch against dev.14 which does this.  The src/LYCgi.c change is
all that's needed.  See

        ftp://invisible-island.net/temp/lynx2.8.6dev.14b.patch.gz

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

[Prev in Thread]

Current Thread

[Next in Thread]

[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Greg MacManus, 2005/10/28
- [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Thomas Dickey, 2005/10/28
  - Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Stef Caunter, 2005/10/28
    - Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Thomas Dickey, 2005/10/28
    - Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Stef Caunter, 2005/10/28
    - Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Thomas Dickey, 2005/10/28
  - Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Thomas Dickey <=
- RE: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Greg MacManus, 2005/10/28
  - RE: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Thomas Dickey, 2005/10/28
  - RE: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability, Thomas Dickey, 2005/10/29

Prev by Date: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Next by Date: RE: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Previous by thread: Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Next by thread: RE: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Index(es):
- Date
- Thread