Date: Thu, 9 Oct 2008 15:52:48 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Cc: clint.ruoho@...onicsecurity.com Subject: lynx lynxcgi handler flaw Clint Ruoho brought this to our attention, and I think there is a greater benefit in in sharing this than there is in keeping it embargoed. The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in advanced mode. It's considered to not be a flaw in advanced mode because it displays the URL that is selected. The potential problem here though is if lynx is called from the command line if it's your URL handler. Clint pointed out that the easiest way to fix this is to just disable CGI support in /etc/lynx.cfg, which I agree with, and is a wise default. Initially I thought this was an issue that should be fixed, but I'm starting to wonder this. So some open discussion is in order. Does anything allow the lynxcgi:// handler? A user would have to have defined this protocol handler, which I think is quite unlikely. Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ