[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

From: Alex Lyons A32/373-Winfrith Tel2368 FAX2508
Subject: Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
Date: Wed, 25 Jun 97 10:24:10 BST

There are quite a number of calls to "system" scattered through the lynx code.
I noticed them in HTFWriter.c, LYBookmark.c, LYDownload.c, LYEdit.c,
LYGetFile.c, LYLocal.c, LYMail.c, LYMainLoop.c, LYPrint.c, and LYUpload.c.

Its not immediately obvious which of these could be vulnerable to shell
spoofing in the way described for the Download calls.  Have all these
others been checked?  I guess all user-supplied strings could be quoted
(if filenames - as suggested by Andrew Kuchling) or otherwise checked
for shell metacharacters.  Also, would it be a good idea to exec whatever
command "system" is using a shell to run?  This would effectively truncate
the command at the first shell command delimiter, eg:

    system("/bin/cp file1;/bin/sh; file2")       :(
    system("exec /bin/cp file1;/bin/sh; file2")  :)

Alex Lyons
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]