The same problem present in Elm 2.4 PL24 and earlier is present in all
versions of Lynx (tested on 2.7.1, Linux). When a lynx user D)ownloads a
file, a temporary file with a predictable name is created to store the file
until it is completely downloaded. The file is /tmp/L*0TMP.html (the
extension is .html regardless of actual file type). * is the PID of Lynx,
and 0 is the download number (the second download would have number 1, and
so on). Lynx doesn't check for previous existence of this file, and *will*
write to symlinks. Any local user can create a symbolic link (or hard link,
for that matter) with this predictable name to one of the Lynx user's files,
and when this user D)ownloads something, his file will be overwritten by
whatever he was downloading. If the attacker has some sort of idea as to the
content of the download (before the fact, obviously) he can write arbitrary
data to the victim's ~/.rhosts or other crucial file.
Since there is usually a substantial time space between downloads (in an
average Lynx session), an attacker has enough time to investigate, and set
up his/her attack.
Fix: Why don't people like using mktemp() or tmpfile() ?
fflush