Greg - Please respond directly to queries made by Thomas and cc vendor-disclosure.
Michael -----Original Message----- From: Thomas Dickey [mailto:[EMAIL PROTECTED] Sent: Friday, October 28, 2005 3:31 PM To: vendor-disclosure Cc: [email protected] Subject: RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability On Fri, 28 Oct 2005, vendor-disclosure wrote: > Sorry, the report should have been attached to the last email. Let me know > if it doesn't arrive this time. ok. I have it. As I read it, it notes that the upstream source does not have the feature enabled by default. Also the feature normally would not be enabled in the lynx.cfg file (reading the source code). Is there any change required to upstream source (there's not enough information about the "configuration error on multiple platforms"), or is this aimed at changing lynx.cfg files that have been customized by packagers? > I have also attached a PoC exploit. thanks (will see) -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net _______________________________________________ Lynx-dev mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/lynx-dev
