CVE-1999-1549
CVSS5.0
发布时间 :1999-11-16 00:00:00
修订时间 :2016-10-17 22:05:53
NMCOS    

[原文]Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands.


[CNNVD]Lynx Internal URL "secure" 变量/网络连接验证漏洞(CNNVD-199911-053)

        HTMLLynx 2.x版本不能正确识别internal 和 external HTML,本地攻击者可以从临时文件读取"secure" 隐藏格式值和制作一个LYNXOPTIONS URL来阅读,引起Lynx修改用户配置文件并执行指令。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:university_of_kansas:lynx:2.8
cpe:/a:university_of_kansas:lynx:2.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1549
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1549
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-053
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94286509804526&w=2
(UNKNOWN)  BUGTRAQ  19991116 lynx 2.8.x - 'special URLs' anti-spoofing protection is weak
http://www.securityfocus.com/bid/804
(VENDOR_ADVISORY)  BID  804

- 漏洞信息

Lynx Internal URL "secure" 变量/网络连接验证漏洞
中危 设计错误
1999-11-16 00:00:00 2005-10-20 00:00:00
远程※本地  
        HTMLLynx 2.x版本不能正确识别internal 和 external HTML,本地攻击者可以从临时文件读取"secure" 隐藏格式值和制作一个LYNXOPTIONS URL来阅读,引起Lynx修改用户配置文件并执行指令。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息

13561
Lynx LYNX*:// Protocol Spoof Information Disclosure
Information Disclosure
Loss of Confidentiality Solution Unknown

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-11-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Lynx Internal URL "secure" Parameter/Internal Link Verification Vulnerability
Design Error 804
Yes Yes
1999-11-17 12:00:00 2009-07-11 12:56:00
First posted to BugTraq by Michal Zalewski <lcamtuf@ids.pl> on Nov 17, 1999. Additional details posted to BugTraq by Michal on Nov 18, 1999.

- 受影响的程序版本

University of Kansas Lynx 2.8
University of Kansas Lynx 2.7

- 漏洞讨论

Lynx generally classifies webpages as either internal or external. Internal webpages are those which are used for such things as configuration, handling downloaded files, etc. External are webpages that are normally visited from a web client and are on a webserver somewhere "external" from the client. To prevent authors of malicious webpages from compromising the internals of the client, the creators of lynx put a number of restrictions on what can manipulate the internal URLS. The first is a hidden form value passed to internally rendered pages, called "secure". Unfortunately, this value doesn't live up to its name, since it is based on time(). The next method is verifying whether the pages which contain internal URLS are allowed to or not. This is done by comparing the titles of the pages being verified to what they should be (if they were legal). The section of code which does this naive check is below:


[...]

(!strncmp(links[curdoc.link].lname,
"LYNXDOWNLOAD:", 13) &amp;&amp;
strcmp((curdoc.title ? curdoc.title : ""),
DOWNLOAD_OPTIONS_TITLE)) ||
(!strncmp(links[curdoc.link].lname,
"LYNXHIST:", 9) &amp;&amp;
strcmp((curdoc.title ? curdoc.title : ""),
HISTORY_PAGE_TITLE) &amp;&amp;

[...]


If it is possible for an attacker (locally) to convince a user to enter a configuration page ('O') in lynx, the "secure" value can be obtained by calling utime() on the temporary file created in /tmp (which is where lynx creates temporary html pages). Once the "secure" value is obtained, a malicious page which is titled appropriately can pass configuration values as hidden form variables to LYNXOPTIONS://, which will take them gladly and modify the configuration options of the user (for example, setting editor to whatever the attacker wants) silently. There is a possibility that this can be exploited remotely, if the value of "secure" can be guessed.

More vulnerabilities which are consequently exposed by this problem are exploitable buffer overflows in handling of some of the configuration options. Known to lack bounds checking are operations on the buffers which store (at least temporarily) the values for options: "user agent", "preferred language", and "preferred charset".

- 漏洞利用

See discussion.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站