[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Ve
|
From: |
Greg MacManus |
|
Subject: |
RE: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability |
|
Date: |
Fri, 28 Oct 2005 20:47:29 -0400 |
Hi,
That looks like it will do it.
The original vulnerability discoverer wishes to be credited as 'vade79',
so he should probably be credited instead of me.
-- greg
-----Original Message-----
From: Thomas Dickey [mailto:address@hidden
Sent: Friday, October 28, 2005 8:35 PM
To: Greg MacManus
Cc: vendor-disclosure; address@hidden
Subject: Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089]
Multiple Vendor Lynx Command Injection Vulnerability
On Fri, 28 Oct 2005, Thomas Dickey wrote:
> On Fri, 28 Oct 2005, Greg MacManus wrote:
>> I'm not sure what an appropriate fix would be, but potentially a
warning
>> dialog to the user they are about to execute a local program might be
>> appropriate. Another change I could think of would be to default to
>> allow nothing to be executed, instead of default to allow all. If the
>> user wants to execute something, they must add it.
>
> That's probably suitable for novice mode (the default), or
intermediate. For
> advanced mode lynx shows the url in the status line, so a message
would be
> redundant.
I put a patch against dev.14 which does this. The src/LYCgi.c change is
all that's needed. See
ftp://invisible-island.net/temp/lynx2.8.6dev.14b.patch.gz
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
- RE: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability,
Greg MacManus <=