[26861] in bugtraq
Re: Lynx CRLF Injection, part two
daemon@ATHENA.MIT.EDU (Petr Baudis)
Thu Aug 29 12:21:57 2002
Date: Thu, 29 Aug 2002 10:31:43 +0200
From: Petr Baudis <pasky@pasky.ji.cz>
To: Alberto Devesa <alberto.devesa@m-centric.com>
Message-ID: <20020829083143.GR2600@pasky.ji.cz>
Mail-Followup-To: Alberto Devesa <alberto.devesa@m-centric.com>,
Ulf Harnhammar <ulfh@update.uu.se>, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020823090352.F0C513E@mail.m-centric.com>
Hello,
Dear diary, on Fri, Aug 23, 2002 at 11:09:21AM CEST, I got a letter,
where Alberto Devesa <alberto.devesa@m-centric.com> told me, that...
> The same bug seems to affects to the links browser. I have tested it with the
> 0.96 version. Links is another console browser with extended capabilities not
> supported by lynx like frames, colors and menus.
yes, the same bug exists in Links and ELinks - Ulf contacted us both
maintainers, however I wasn't able to react fast enough due to the floods in
Czech Republic. Yesterday, I finally fixed the bug in ELinks-0.4pre and
released ELinks-0.4pre15 (we now actually encode even tab, cr and lf when
sending the URL to the server). All ELinks users are recommended to upgrade,
the new ELinks homepage is at http://elinks.or.cz/.
Note that there's no fix for ELinks-0.3.2, as I don't consider this a
critical bug and ELinks-0.4.0 is expected to replace ELinks-0.3.2 in very near
future.
--
Petr "Pasky" Baudis
* ELinks maintainer * IPv6 guy (XS26 co-coordinator)
* IRCnet operator * FreeCiv AI occassional hacker
.
<Beeth> Girls are like internet domain names, the ones I like are already taken.
<honx> Well, you can still get one from a strange country :-P
.
Public PGP key && geekcode && homepage: http://pasky.ji.cz/~pasky/
