lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

From: Bela Lubkin
Subject: Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
Date: Thu, 26 Jun 1997 01:36:39 +0000 
Alex Lyons wrote:

> > >     system("/bin/cp file1;/bin/sh; file2")       :(
> > >     system("exec /bin/cp file1;/bin/sh; file2")  :)
> > I believe that the discussion of 'exec' was referring to the family of
> > system calls (execl, execlp, etc), which require the application to parse
> > the command line into the argv array by itself.
> 
> I know.  That's why I'm suggesting putting "exec" in front of the command
> string passed to system, as a less-hassle alternative: the shell does the
> parsing, but then gets replaced by the first command before it can cause
> any mischief.

This gives nothing more than a false sense of security.  If the user can
spoof, they can spoof in ways that your leading "exec " won't help:

  system("exec /bin/cp file1`/bin/sh </dev/tty >/dev/tty 2>&1` file2");

>Bela<

PS: I didn't see any response to my comment 2 weeks ago that "the
    sequence open-then-chmod tends to open race conditions which can
    lead to security holes".  Was it received?
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]