Re: LYNX-DEV Alleged Lynx security emergency

[Jonathan Sergent]

Fote wrote:
 ]      No.  The vanilla code assumes that the value of File= will
 ] be that of its temporary file, and doesn't do anything with it.  It
 ] cleans up the value of SugFile= as accepted or modified by the user
 ] at the prompt for an output filename.  

I thought that was what I said.  It's certainly what I thought [I
read through the fotemods LYDownload, the "vanilla" LYDownload,
and quote_pathname().]

 ]      There seems to be more to it than what you and Wayne are claiming
 ] about it being equivalent to a script entered on the command line.  For
 ] example, the LYK_SHELL command on Unix uses  system("exec $SHELL");  and
 ] that works cleanly.  The posted spoofing LYNXDOWNLOAD URL ends up with
 ]  system("/bin/cp /dev/null;/bin/sh; /dev/null");  and it causes /dev/null
 ] to be replaced with a real, empty file (no longer symbolic) even though
 ] the account running Lynx doesn't have privileges to do that.  Also, the
 ] invoked shell has strange terminal characteristics, which you can almost
 ] but not quite clean up with ^Jstty sane^J^J.  When I tried a spoofing URL
 ] which yields  system("/bin/cp foo bar;exec $SHELL; bar");  where foo
 ] exists so there is no cp error, it still gave me a shell with strange
 ] terminal characteristics.

The strange terminal characteristics are set by curses...

I was thinking along the lines of File=;/bin/sh;, 
SugFile="hello my name is bob" [or whatever].

If you were a purist you could do File=;stty sane;/bin/sh;stty raw;
as well.  [Haven't tried it, should work though]

As far as /dev/null disappearing, sol seems to be the
only machine on which people say this happens.  I've tried it on 
HP-UX and on Solaris 2.5 and it doesn't happen.  I'd try it on 2.4 
to prove that it wasn't the OS but the machine, but I no longer have 
accounts on any hosts with 2.4 (they're all 2.5 or 2.3 at Purdue).

I suggest you check the permissions of the /dev directory itself 
on sol, they should be 0755 obviously.

The code that Wayne pointed out must be what's killing /dev/null
for some of you.  Having a writeable /dev/null directory is somewhat
dangerous...

 ]      You're also confusing the File= value with the command for the
 ] download option based on the Method= value.  In the case of -1, its
 ] COPY_PATH, defined in userdefs.h as /bin/cp (for the vanilla and
 ] fotemods code).  In the case of 0 to n, its the command or script
 ] defined for DOWNLOADER: in lynx.cfg.  The File= and "cleaned-up"
 ] SugFile= values follow those, to act as arguments for the command.

I realize that /bin/cp (for method<0) is different from the
downloader definitions, but I was saying that we can't get rid
of system() altogether because the downloaders (i guess the
printers too) still need it...

Still, I think the right way to fix this problem is:
execl("/bin/cp", File, SugFile, 0);   /* Substitute proper variables. */
which doesn't start up an sh at any point in time if I'm not mistaken.

...

I wonder if any of the O)ptions or any environment variables [possibly
set via telnet / telnetd, read the manual page for info on how to do this] 
can be modified to get a shell in a similar manner.


--jss.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;