Hello, I would just like to point out that both of the mentioned bugs are already known and/or eliminated. Michal Zalewski wrote: > I (?) found /tmp race in lynx 2.7.1. Another stupid program, which > uses ... Nope, that bug has been known for quite a while now. Check the CERT advisory on it: CERT* Vendor-Initiated Bulletin VB-97.05 July 15, 1997 Topic: Vulnerability in Lynx Temporary Files Source: Jim Spath It was also posted on Bugtraq, but we can't expect Aleph1 to memorize each and every single occurrance of a bug, so who could blame him for letting that one slip through. > While poking around lynx protocol handling routines, I found this > very big, ugly remote hole: > > <a href= > "LYNXDOWNLOAD://Method=-1/File=`touch%20UGLY_BUG`/SugFile=test"> > CLICK HERE > </a> You must be using a not-so-recent version of Lynx, because that bug was eliminated in Lynx version 2.7.1ac-0.35, released on June 26, 1997. Here is the actual log entry from the CHANGES file for patch level 35: 1997-06-26 * Tweak of the "tag and attribute soup" parsing mods in HTML.c so that the PLAIN attribute works for UL blocks again. - FM * More tweaks of LYMainLoop.c to issue informative statusline messages about attempts to ACTIVATE, DOWNLOAD, or submit URLs or ACTIONs which are disallowed in the current context and destined to fail, rather than acting on them and generating actual failures. - FM * Mods of LYmktime() in LYUtils.c to support dd-mm-yyyy format for expires headers and cookie attributes. - FM * Oops, hadn't included checks for whether there are links on the page in this morning's LYMainLoop.c mods to ensure appropriate statusline messages for attempts to bookmark special URLs that can't be bookmarked, which could yield a crash it there aren't any. The checks are in there now. - FM * Added ability to bookmark links from the Lynx List Page, as from the Visited Links Page, but not for those pages, themselves, since they are temporary files. Note that Lynx List Page links will not have the documents' titles, as do those in the Visited Links Page, unless you've visited them before invoking the Lynx List Page. - FM * Added explicit protections against buffer overruns in the LYDownload.c handling of suggested filenames. - FM In Lynx version 2.7.1ac-0.35 and later, the following message is displayed when you try to follow a potentially malicious link like the one you mentioned: Alert!: This special URL is not allowed in external documents! so I guess you had better start looking for another bug to exploit. Another day, another pair of already known and/or eliminated bugs. :-) You have shown that you are very enthusiastic and persistant in your quest to find race conditions and other bugs, but you should spend some more time researching before you post your findings, IMHO. Regards, Dr. BSD ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:05 PDT