Ulf Harnhammar wrote: > Date: Mon, 19 Aug 2002 02:17:04 +0200 (CEST) > From: Ulf Harnhammar <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Lynx CRLF Injection
> SUMMARY: > > If you give Lynx a URL with some special characters on the command > line, it will include faked headers in the HTTP query. This way, > you can make scripts that use Lynx for downloading files access > the wrong site on a web server with multiple virtual hosts. Ulf -- Do you see this as a security hole to the _user_ who is running Lynx? Clearly it could be a problem to the server which is being _accessed_ via Lynx; but if so, you aren't actually protecting the server here. A malicious user could use `telnet` or `nc` or whatever. Lynx is by no means the only tool that can send crazy headers to an HTTP server! If there's no user exposure, I don't see why this is any sort of security alert at all. If it causes a security problem for servers, those servers are still at risk -- people just have to use _any other program that does socket I/O_ (including an unpatched Lynx) to attack those servers. I accept that this is a legitimate patch to Lynx simply because it allows users to access pages which might previously have been inaccessible. e.g. if the HTTP server -- probably in violation of all sorts of standards -- actually _does_ have a file named "http://this-server/foo bar.html", where that line break is an actual newline character, Lynx users can now access it. But why the emergency rush delivery of the patch? >Bela< ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
