Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 9 Oct 2008 15:52:48 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: clint.ruoho@...onicsecurity.com
Subject: lynx lynxcgi handler flaw

Clint Ruoho brought this to our attention, and I think there is a greater benefit
in in sharing this than there is in keeping it embargoed.

The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in
advanced mode.  It's considered to not be a flaw in advanced mode because it
displays the URL that is selected.  The potential problem here though is if lynx
is called from the command line if it's your URL handler.

Clint pointed out that the easiest way to fix this is to just disable CGI support
in /etc/lynx.cfg, which I agree with, and is a wise default.

Initially I thought this was an issue that should be fixed, but I'm starting to
wonder this.  So some open discussion is in order.

Does anything allow the lynxcgi:// handler?  A user would have to have defined
this protocol handler, which I think is quite unlikely.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ