Bugtraq mailing list archives
lynx - someone is deaf and blind ;)
From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Sun, 27 Feb 2000 16:30:03 +0100
Over six months ago, I've reported nasty and easily exploitable overflows in lynx while parsing some URLs - like cso://AAAA... etc. I've given some examples, and it was fixed, but then, month later, I've realized that other protocols, not mentioned in previous post are still buggy in exactly the same way. Another post resulted in patched lynx release. And what now, guess?... Similar problems are present for example when lynx is using proxy server (often sysadm puts proxy server settings in global lynx.cfg) - even in recent 2.8.3dev2x releases - http://AAA... or ftp://AAA... requests with over 2 kb of junk after protocol indentifier (instead of valid hostname) - 0x41414141 SEGV - old, good, exploitable overflow while preparing request for proxy server. AND MORE FOLLOWS - for example some overflows when viewing 'Information about current document' and so on, all related to extremely long URLs. I'm not going to give more examples here, as I'm afraid I might miss one or two that won't be fixed - developers, use your head, take a look at the code and fix every suspected piece of code, not only already published / described bugs. _______________________________________________________ Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM] [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl] [+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Wordpad vulnerability, exploitable also in IE for Win9x Georgi Guninski (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Kevin Day (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Scott (Feb 23)
- How the password could be recover using FTP Explorer's registry! Nelson (Feb 24)
- Re: How the password could be recover using FTP Explorer's registry! Seth R Arnold (Feb 25)
- Re: How the password could be recover using FTP Explorer's registry! Rishi Lee Khan (Feb 27)
- Re: How the password could be recover using FTP Explorer's registry! Mikael Olsson (Feb 26)
- Re: How the password could be recover using FTP Explorer's registry! Jeffrey Paul (Feb 28)
- How the password could be recover using FTP Explorer's registry! Nelson (Feb 24)
- lynx - someone is deaf and blind ;) Michal Zalewski (Feb 27)
- EZ Shopper 3.0 shopping cart CGI remote command execution suid () SUID KG (Feb 27)
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Alex Heiphetz (Feb 28)
- W2K & ~25000+ temp files = crash + corruption? Clifford Hammerschmidt (Feb 28)
- ALERT!: TendMicro InterScan (DOS & intrusion) Veille Technologique (Feb 28)
- Advisory: Foundry Networks ServerIron TCP/IP sequence predictability Andrew van der Stock (Feb 27)
- Re: Zonealarm exports sensitive data Brett Glass (Feb 25)
- Re: Zonealarm exports sensitive data Robert Graham (Feb 28)