Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [month] [year] [list] 
Date: Thu, 9 Oct 2008 15:52:48 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: clint.ruoho@...onicsecurity.com
Subject: lynx lynxcgi handler flaw

Clint Ruoho brought this to our attention, and I think there is a greater benefit
in in sharing this than there is in keeping it embargoed.

The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in
advanced mode.  It's considered to not be a flaw in advanced mode because it
displays the URL that is selected.  The potential problem here though is if lynx
is called from the command line if it's your URL handler.

Clint pointed out that the easiest way to fix this is to just disable CGI support
in /etc/lynx.cfg, which I agree with, and is a wise default.

Initially I thought this was an issue that should be fixed, but I'm starting to
wonder this.  So some open discussion is in order.

Does anything allow the lynxcgi:// handler?  A user would have to have defined
this protocol handler, which I think is quite unlikely.

Thanks.

-- 
    JB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux