[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] Possible more elegant fix for Lynx vulnerability?
|
From: |
Thorsten Glaser |
|
Subject: |
Re: [Lynx-dev] Possible more elegant fix for Lynx vulnerability? |
|
Date: |
Tue, 13 Oct 2020 15:29:46 +0000 (UTC) |
Naveen Albert via Lynx-dev dixit:
> I've written up a whitepaper about a vulnerability with default Lynx
| This whitepaper discusses an unintended configuration-based
| (non-technical) vulnerability that allows guest users in a poorly
| secured shell application to exploit loose security restrictions in
| the Lynx text-based web browser to bypass security mechanisms and
| access sensitive system information, allowing malicious users to
| potentially obtain root access to a system and compromise the entire
| machine. The vulnerability stems from default security settings in
| the Lynx browser that allow full system access.
This is complete nōnsense. It is only proper of lynx to allow local
users full local access. If someone wants to run it as restricted
application on a shell service, they need to restrict local operations
differently anyway.
This is no “vulnerability” in lynx.
bye,
//mirabilos
--
> Hi, does anyone sell openbsd stickers by themselves and not packaged
> with other products?
No, the only way I've seen them sold is for $40 with a free OpenBSD CD.
-- Haroon Khalid and Steve Shockley in gmane.os.openbsd.misc