|
|
|
|
| |
Credit:
The information has been provided by iDEFENSE Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=338&type=vulnerabilities
|
| |
Vulnerable Systems:
* Lynx, version 2.8.5
Immune Systems:
* Lynx version 2.8.6dev.15
The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx.
Successful exploitation of the described vulnerability allows remote attackers to execute arbitrary commands with the privileges of the underlying user. Exploitation requires that an attacker convince a target user to follow a malicious link from within a vulnerable version of Lynx. The "lynxexec" and "lynxprog" URI handlers can also be used to trigger the issue. However, they are rarely compiled into the Lynx binary.
Workaround:
Disable "lynxcgi" links by specifying the following directive in lynx.cfg:
TRUSTED_LYNXCGI:none
Vendor Status:
Development version 2.8.6dev.15 has been released to address this issue and is available from the following URLs:
http://lynx.isc.org/current/lynx2.8.6dev.15.tar.Z, http://lynx.isc.org/current/lynx2.8.6dev.15.tar.bz2, http://lynx.isc.org/current/lynx2.8.6dev.15.tar.gz, http://lynx.isc.org/current/lynx2.8.6dev.15.zip
Alternately, an incremental patch is available at: http://lynx.isc.org/current/2.8.6dev.15.patch.gz
CVE Information:
CVE-2005-2929
Disclosure Timeline:
10/27/2005 - Initial vendor notification
10/28/2005 - Initial vendor response
11/11/2005 - Public disclosure
|
|
|
|
|
