|
| From: | Thomas Dickey |
| Subject: | [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability |
| Date: | Fri, 28 Oct 2005 16:22:39 -0400 (EDT) |
On Fri, 28 Oct 2005, Greg MacManus wrote:
The advisory lists the following vulnerable vendors, which have the option compiled in by default, and the 2 BSD vendors without it.
I understood that (checked GenToo's ebuild - the other two would take more work to dig out).
I'm not sure what an appropriate fix would be, but potentially a warning dialog to the user they are about to execute a local program might be appropriate. Another change I could think of would be to default to allow nothing to be executed, instead of default to allow all. If the user wants to execute something, they must add it.
That's probably suitable for novice mode (the default), or intermediate. For advanced mode lynx shows the url in the status line, so a message would be redundant.
I'm reviewing the TRUSTED_LYNXCGI logic to see if it is behaving as it is documented, in case there is some misconception to address.
-- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net
| [Prev in Thread] | Current Thread | [Next in Thread] |