Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <734638270.1993841223581968480.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Thu, 9 Oct 2008 15:52:48 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: clint.ruoho@...onicsecurity.com
Subject: lynx lynxcgi handler flaw

Clint Ruoho brought this to our attention, and I think there is a greater benefit
in in sharing this than there is in keeping it embargoed.

The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in
advanced mode.  It's considered to not be a flaw in advanced mode because it
displays the URL that is selected.  The potential problem here though is if lynx
is called from the command line if it's your URL handler.

Clint pointed out that the easiest way to fix this is to just disable CGI support
in /etc/lynx.cfg, which I agree with, and is a wise default.

Initially I thought this was an issue that should be fixed, but I'm starting to
wonder this.  So some open discussion is in order.

Does anything allow the lynxcgi:// handler?  A user would have to have defined
this protocol handler, which I think is quite unlikely.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.