Lynx is a text based web browser, usually used under UNIX/Linux systems. Lynx has been found to contain a security vulnerability that allows malicious users to change the configuration settings of Lynx and potentially gaining of access to other people's accounts.
Credit:
This information has been provided by: Michal Zalewski.
Vulnerable systems:
University of Kansas Lynx 2.8
University of Kansas Lynx 2.7
Lynx generally classifies web pages as either internal or external. Internal web pages are used for things like configuration, handling downloaded files, etc. External pages are normally visited from a web client and are on some "external" web server. To prevent authors of malicious web pages from compromising the internals of the client, the creators of lynx put a number of restrictions on what can manipulate the internal URLs. The first is a hidden form value passed to internally rendered pages, called "secure". Unfortunately, this value doesn't live up to its name, since it is based on time(). The other method is verifying whether the pages containing internal URLs are allowed to do so. This is done by comparing the page titles and verifying the titles are what they should be. This code section is shown below:
If it is possible for a local user to convince another user to enter a configuration page ('O') in lynx, the "secret" value can be obtained by calling utime() on the temporary file created in /tmp (which is where lynx creates temporary html pages). Once the "secret" value is obtained, a malicious page that is titled appropriately can pass configuration values as hidden form variables to LYNXOPTIONS://, which will take them gladly and modify the configuration options of the user (for example, setting editor to whatever the attacker wants) silently - effectively compromising system security.
