Security advisory: lynx

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Security advisory: lynx

Yaakov (Cygwin/X)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lynx is vulnerable to an issue which allows the remote execution of
arbitrary commands.

iDefense labs discovered a problem within the feature to execute local
cgi-bin programs via the "lynxcgi:" URI handler. Due to a configuration
error, the default settings allow websites to specify commands to run
as the user running Lynx.

Workaround:
Disable "lynxcgi" links by specifying the following directive in
lynx.cfg:
TRUSTED_LYNXCGI:none

Fix:
I've attached a patch for lynx-2.8.5.

More information:
http://security.gentoo.org/glsa/glsa-200511-09.xml
http://bugs.gentoo.org/show_bug.cgi?id=112213
http://www.idefense.com/application/poi/display?id=338&type=vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDd7ldpiWmPGlmQSMRAosWAKDWekpGdWizUy8UdBuSttlFf7C2dgCgwVpf
3D92m9YlsmxJ7xIeRkaNAlQ=
=9nsr
-----END PGP SIGNATURE-----

--- lynx2-8-5/src/LYCgi.c.cve-2005-2929 2004-02-02 13:02:28.000000000 -0700
+++ lynx2-8-5/src/LYCgi.c 2005-11-12 09:57:35.832520625 -0700
@@ -140,6 +140,40 @@
     }
 }
 
+#ifdef LYNXCGI_LINKS
+/*
+ * Wrapper for exec_ok(), confirming with user if the link text is not visible
+ * in the status line.
+ */
+static BOOL can_exec_cgi(const char *linktext, const char *linkargs)
+{
+    const char *format = gettext("Do you want to execute \"%s\"?");
+    char *message = NULL;
+    char *command = NULL;
+    char *p;
+    BOOL result = TRUE;
+
+    if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+ /* exec_ok gives out msg. */
+ result = FALSE;
+    } else if (user_mode < ADVANCED_MODE) {
+ StrAllocCopy(command, linktext);
+ if (non_empty(linkargs)) {
+    HTSprintf(&command, " %s", linkargs);
+ }
+ HTUnEscape(command);
+ for (p = command; *p; ++p)
+    if (*p == '+')
+ *p = ' ';
+ HTSprintf0(&message, format, command);
+ result = HTConfirm(message);
+ FREE(message);
+ FREE(command);
+    }
+    return result;
+}
+#endif /* LYNXCGI_LINKS */
+
 #ifdef __MINGW32__
 PRIVATE int LYLoadCGI ARGS4(
  CONST char *, arg,
@@ -281,8 +315,7 @@
        strcmp(arg, HTLoadedDocumentURL()) &&
        HText_AreDifferent(anAnchor, arg) &&
        HTUnEscape(orig_pgm) &&
-       !exec_ok(HTLoadedDocumentURL(), orig_pgm,
- CGI_PATH)) { /* exec_ok gives out msg. */
+       !can_exec_cgi(orig_pgm, "")) {
  /*
  *  If we have extra path info and are not just reloading
  *  the current, check the full file path (after unescaping)
@@ -313,8 +346,7 @@
        !(reloading && anAnchor->document) &&
        strcmp(arg, HTLoadedDocumentURL()) &&
        HText_AreDifferent(anAnchor, arg) &&
-       !exec_ok(HTLoadedDocumentURL(), pgm,
- CGI_PATH)) { /* exec_ok gives out msg. */
+       !can_exec_cgi(pgm, pgm_args)) {
  /*
  *  If we are reloading a lynxcgi document that had already been
  *  loaded, the various checks above should allow it even if
--- lynx2-8-5/src/LYGetFile.c.CVE-2005-2929 2003-06-02 02:16:28.000000000 +0100
+++ lynx2-8-5/src/LYGetFile.c 2005-11-11 18:03:27.000000000 +0000
@@ -1478,6 +1478,8 @@
     if (strstr(command,"//") == linktext) {
  command += 2;
     }
+    CTRACE((tfp, "comparing source\n\t'%s'\n\t'%s'\n", source, tp->src));
+    CTRACE((tfp, "comparing command\n\t'%s'\n\t'%s'\n", command, tp->path));
     if (STRNADDRCOMP(source, tp->src, strlen(tp->src)) == 0 &&
  STRNADDRCOMP(command, tp->path, strlen(tp->path)) == 0)
  return TRUE;
--- lynx2-8-5/CHANGES.CVE-2005-2929 2005-11-11 18:02:29.000000000 +0000
+++ lynx2-8-5/CHANGES 2005-11-11 18:08:10.000000000 +0000
@@ -3,6 +3,13 @@
 * eliminate fixed-size buffers in HTrjis() and related functions to avoid
   potential buffer overflow in nntp pages (report by Ulf Harnhammar) -TD
 
+2005-10-30 (2.8.6dev.15)
+* modify LYLoadCGI() to prompt user, displaying the command that would be
+  executed, to confirm that it should be.  This makes it easier to notice when
+  a local program would be run by activating a lynxcgi link.  This is not done
+  in advanced mode, since the URL is already visible in the status line (report
+  by vade79, comments by Greg MacManus) -TD
+
 2003-06-01 (2.8.5dev.16)
 + add zh_CN.po from
   http://www.iro.umontreal.ca/contrib/po/maint/lynx/