oss-sec mailing list archives
lynx lynxcgi handler flaw
From: Josh Bressers <bressers () redhat com>
Date: Thu, 9 Oct 2008 15:52:48 -0400 (EDT)
Clint Ruoho brought this to our attention, and I think there is a greater benefit in in sharing this than there is in keeping it embargoed. The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in advanced mode. It's considered to not be a flaw in advanced mode because it displays the URL that is selected. The potential problem here though is if lynx is called from the command line if it's your URL handler. Clint pointed out that the easiest way to fix this is to just disable CGI support in /etc/lynx.cfg, which I agree with, and is a wise default. Initially I thought this was an issue that should be fixed, but I'm starting to wonder this. So some open discussion is in order. Does anything allow the lynxcgi:// handler? A user would have to have defined this protocol handler, which I think is quite unlikely. Thanks. -- JB
Current thread:
- lynx lynxcgi handler flaw Josh Bressers (Oct 09)