Date: Sun, 2 Apr 2000 13:33:28 -0500 From: "Doug Poland" <dpoland@execpc.com> To: "Christian Weisgerber" <naddy@mips.rhein-neckar.de> Cc: <freebsd-questions@freebsd.org> Subject: RE: Lynx forbidden Message-ID: <NDBBKMNOJKJGAEKJNLIAEEJEDDAA.dpoland@execpc.com> In-Reply-To: <8c7tfg$17jv$1@bigeye.rhein-neckar.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian Weisgerber kindly responded: > > > Doug Poland <dpoland@execpc.com> wrote: > > > How does a cracker exploit (or create?) buffer overflows > > that makes lynx vulnerable? > > Exploitation would take the form of somebody having a web site with > overlong URLs (and possibly some other structures lynx is vulnerable > to, I don't know the details of the security audit) that will > overflow lynx' internal buffers, clobber the stack, and cause this > remote data to be executed as code. > > Effectively, you would attempt to load a page and unwittingly > execute some code provided from the malicious server locally on > your system under your user ID and permissions. > > The possibilities for abuse are immense. Examples include deleting > all your files, modifying your .rhosts or ssh configuration in such > a way as to open up your account to unauthorized remote login, or > copying (possibly sensitive) personal data. > Thank you for the thorough explanation > > If I have lynx on my system, when am I at risk? > > When you access a remote untrusted web server. > Please note that the security status of other browsers such as w3m > is more along the lines of "unknown" rather than "safe". And I > don't even want to think about netscape. > This raises the question, is there a "safe" browser? And, how does one recognize and avoid untrusted web servers? > > Doesn't sysinstall use lynx to read on-line documentation? > > If it's so risky, why would the installation program use it? > > The recognition that lynx is unsafe is somewhat new, and the problem > will probably be fixed eventually. Also, there is no security risk > involved in using it to read the locally installed documentation. > I understand. > -- > Christian "naddy" Weisgerber naddy@mips.rhein-neckar.de > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBKMNOJKJGAEKJNLIAEEJEDDAA.dpoland>