[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor
[Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Fri, 28 Oct 2005 16:22:39 -0400 (EDT)
On Fri, 28 Oct 2005, Greg MacManus wrote:
The advisory lists the following vulnerable vendors, which have the
option compiled in by default, and the 2 BSD vendors without it.
I understood that (checked GenToo's ebuild - the other two would take more
work to dig out).
I'm not sure what an appropriate fix would be, but potentially a warning
dialog to the user they are about to execute a local program might be
appropriate. Another change I could think of would be to default to
allow nothing to be executed, instead of default to allow all. If the
user wants to execute something, they must add it.
That's probably suitable for novice mode (the default), or intermediate.
For advanced mode lynx shows the url in the status line, so a message
would be redundant.
I'm reviewing the TRUSTED_LYNXCGI logic to see if it is behaving as it is
documented, in case there is some misconception to address.
Thomas E. Dickey