FYI ________________________________ From: Lynx-dev <lynx-dev-bounces+kmcmi046=uottawa...@nongnu.org> on behalf of Ariadne Conill <aria...@dereferenced.org> Sent: 07 August 2021 10:17 To: oss-secur...@lists.openwall.com <oss-secur...@lists.openwall.com> Cc: Axel Beckert <a...@debian.org>; lynx-...@nongnu.org <lynx-...@nongnu.org>; secur...@debian.org <secur...@debian.org>; 991...@bugs.debian.org <991...@bugs.debian.org> Subject: Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Attention : courriel externe | external email Hi, On Sat, 7 Aug 2021, Thorsten Glaser wrote: > Axel Beckert dixit: > >> This is more severe than it initially looked like: Due to TLS Server >> Name Indication (SNI) the hostname as parsed by Lynx (i.e with >> "user:pass@" included) is sent in _clear_ text over the wire even > > I *ALWAYS* SAID SNI IS A SHIT THING ONLY USED AS BAD EXCUSE FOR NAT > BY PEOPLE WHO ARE TOO STUPID TO CONFIGURE THEIR SERVERS RIGHT AND AS > BAD EXCUSE FOR LACKING IPv6 SUPPORT, AND THEN THE FUCKING IDIOTS WENT > AND MADE SNI *MANDATORY* FOR TLSv1.3, AND I FEEL *SO* VINDICATED RIGHT > NOW! IDIOTS IN CHARGE OF SECURITY, FUCKING IDIOTS… It turns out SNI is only marginally related to this issue. The issue itself is far more severe: HTParse() does not understand the authn part of the URI at all. And so, when you call: HTParse("https://foo:b...@example.com", "", PARSE_HOST) It returns: foo:b...@example.com Which is then handed directly to SSL_set_tlsext_host_name() or gnutls_server_name_set(). But it will also leak in the Host: header on unencrypted connections, and also probably SSL ones too. As a workaround, I taught HTParse() how to parse the authn part of URIs, but Lynx itself needs to actually properly support the authn part really. I have attached the patch Alpine is using to work around this infoleak. Ariadne
--- lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTParse.c +++ lynx2.8.9rel.1/WWW/Library/Implementation/HTParse.c @@ -31,6 +31,7 @@ struct struct_parts { char *access; + char *auth; char *host; char *absolute; char *relative; @@ -121,6 +122,18 @@ } /* + * Scan left-to-right for an authentication username/password combination (auth). + */ + for (p = after_access; *p; p++) { + if (*p == '@') { + parts->auth = after_access; + *p = '\0'; + after_access = (p + 1); /* advance base pointer forward */ + break; + } + } + + /* * Scan left-to-right for a fragment (anchor). */ for (p = after_access; *p; p++) { @@ -135,10 +148,14 @@ * Scan left-to-right for a host or absolute path. */ p = after_access; - if (*p == '/') { - if (p[1] == '/') { - parts->host = (p + 2); /* host has been specified */ - *p = '\0'; /* Terminate access */ + if (*p == '/' || parts->auth) { + if (p[1] == '/' || parts->auth) { + if (!parts->auth) { + parts->host = (p + 2); /* host has been specified */ + *p = '\0'; /* Terminate access */ + } else { + parts->host = p; + } p = StrChr(parts->host, '/'); /* look for end of host name if any */ if (p != NULL) { *p = '\0'; /* Terminate host */
_______________________________________________ Lynx-dev mailing list lynx-...@nongnu.org https://lists.nongnu.org/mailman/listinfo/lynx-dev
_______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"