CVE-2002-1405
CVSS5.0
发布时间 :2003-02-19 00:00:00
修订时间 :2016-10-17 22:26:57
NMCOES    

[原文]CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters.


[CNNVD]Lynx命令行URL CRLF注入漏洞(CNNVD-200302-031)

        
        Lynx是一款全功能WEB浏览器,可运行在多种操作系统下。
        Lynx在被命令行方式调用的时候,由于对回车和换行符缺少正确处理,远程攻击者可以利用这个漏洞增加HTTP头信息操作HTTP请求信息。
        当URL使用以命令行方式给出或者在WWW_HOME环境变量中,Lynx不会删除或者在构建HTTP下查询前对一些危险的字符如空格,TAB,CR和LF进行编码,这表示攻击者可以通过在正常URL后增加空格+"HTTP/1.0" + CRLF + 部分头信息 + CRLF + CRLF来重新构建URL并发送任意伪造的HTTP头。
        当程序启动Lynx时,URL主机部分如果由程序提供而路径由用户提供的情况下(如"lynx http://www.site3.st/$path ",这里的路径由用户提供),攻击者可以让这个程序访问www.site3.st之外的WEB站点,如果在www.site3.st机器上存在虚拟主机,只要在类似上面描述的头信息上增加"Host:",就可以访问其他虚拟主机的内容。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:elinks:elinks:0.3.2
cpe:/a:university_of_kansas:lynx:2.8.3
cpe:/a:elinks:elinks:0.2.4
cpe:/a:university_of_kansas:lynx:2.8.4
cpe:/a:university_of_kansas:lynx:2.8.3_rel1
cpe:/a:links:links:0.96
cpe:/a:university_of_kansas:lynx:2.8.2_rel1
cpe:/a:university_of_kansas:lynx:2.8.4_rel1
cpe:/a:university_of_kansas:lynx:2.8.5_dev8

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1405
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1405
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200302-031
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-049.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-049.0
http://marc.info/?l=bugtraq&m=102978118411977&w=2
(UNKNOWN)  BUGTRAQ  20020819 Lynx CRLF Injection
http://marc.info/?l=bugtraq&m=103003793418021&w=2
(UNKNOWN)  BUGTRAQ  20020822 Lynx CRLF Injection, part two
http://www.debian.org/security/2002/dsa-210
(VENDOR_ADVISORY)  DEBIAN  DSA-210
http://www.iss.net/security_center/static/9887.php
(VENDOR_ADVISORY)  XF  lynx-crlf-injection(9887)
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:023
(UNKNOWN)  MANDRAKE  MDKSA-2003:023
http://www.redhat.com/support/errata/RHSA-2003-029.html
(UNKNOWN)  REDHAT  RHSA-2003:029
http://www.redhat.com/support/errata/RHSA-2003-030.html
(UNKNOWN)  REDHAT  RHSA-2003:030
http://www.securityfocus.com/bid/5499
(UNKNOWN)  BID  5499
http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt
(UNKNOWN)  TRUSTIX  2002-0085

- 漏洞信息

Lynx命令行URL CRLF注入漏洞
中危 输入验证
2003-02-19 00:00:00 2005-05-13 00:00:00
远程  
        
        Lynx是一款全功能WEB浏览器,可运行在多种操作系统下。
        Lynx在被命令行方式调用的时候,由于对回车和换行符缺少正确处理,远程攻击者可以利用这个漏洞增加HTTP头信息操作HTTP请求信息。
        当URL使用以命令行方式给出或者在WWW_HOME环境变量中,Lynx不会删除或者在构建HTTP下查询前对一些危险的字符如空格,TAB,CR和LF进行编码,这表示攻击者可以通过在正常URL后增加空格+"HTTP/1.0" + CRLF + 部分头信息 + CRLF + CRLF来重新构建URL并发送任意伪造的HTTP头。
        当程序启动Lynx时,URL主机部分如果由程序提供而路径由用户提供的情况下(如"lynx http://www.site3.st/$path ",这里的路径由用户提供),攻击者可以让这个程序访问www.site3.st之外的WEB站点,如果在www.site3.st机器上存在虚拟主机,只要在类似上面描述的头信息上增加"Host:",就可以访问其他虚拟主机的内容。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        University of Kansas
        --------------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        University of Kansas Patch lynx2.8.4rel.1c.patch
        ftp://lynx.isc.org/lynx/lynx2.8.4/patches/lynx2.8.4rel.1c.patch

- 漏洞信息 (21722)

Lynx 2.8.x Command Line URL CRLF Injection Vulnerability (EDBID:21722)
linux remote
2002-08-19 Verified
0 Ulf Harnhammar
N/A [点击下载]
source: http://www.securityfocus.com/bid/5499/info

A CRLF injection vulnerability has been reported for Lynx that may allow an attacker to include extra HTTP headers when viewing web pages. If Lynx is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request.

Exploitation of this flaw may allow an attacker to inject additional HTTP headers into a request. Abuse of the 'Host' header may cause the request to be served as if made to a different domain, possibly providing the attacker with more control over the content returned.

This vulnerability has been reported for Lynx versions 2.8.4rel.1, 2.8.5dev.8, 2.8.3rel.1 and 2.8.2rel.1. It is not known whether other versions are affected.

*** Links 0.9.6 and ELinks have also been reported as being vulnerable. Some versions of Links and ELinks URL encode space characters so an attacker needs to use tab characters, instead of spaces, to exploit the issue on these browsers.

#!/usr/bin/perl --
# Ulf Harnhammar 2002
# example: ./exploit www.site1.st www.site2.st
# will show www.site2.st

die "$0 hostone hosttwo\n" if @ARGV != 2;

exec('lynx "'.
     "http://$ARGV[0]/ HTTP/1.0\012".
     "Host: $ARGV[1]\012\012".
     '"');		

- 漏洞信息

12657
Lynx Command Line CRLF Injection
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-08-18 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Lynx Command Line URL CRLF Injection Vulnerability
Input Validation Error 5499
Yes No
2002-08-19 12:00:00 2009-07-11 03:56:00
Discovery credited to Ulf Harnhammar <ulfh@update.uu.se>.

- 受影响的程序版本

University of Kansas Lynx 2.8.5 dev.8
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
University of Kansas Lynx 2.8.4 rel.1
University of Kansas Lynx 2.8.4
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Debian Linux 3.0
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Sun Linux 5.0.6
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
University of Kansas Lynx 2.8.3 rel.1
University of Kansas Lynx 2.8.3
+ Debian Linux 2.2
University of Kansas Lynx 2.8.2 rel.1
Twibright Labs Links 0.96
ELinks ELinks 0.3.2
ELinks ELinks 0.2.4
ELinks ELinks 0.4 pre15

- 不受影响的程序版本

ELinks ELinks 0.4 pre15

- 漏洞讨论

A CRLF injection vulnerability has been reported for Lynx that may allow an attacker to include extra HTTP headers when viewing web pages. If Lynx is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request.

Exploitation of this flaw may allow an attacker to inject additional HTTP headers into a request. Abuse of the 'Host' header may cause the request to be served as if made to a different domain, possibly providing the attacker with more control over the content returned.

This vulnerability has been reported for Lynx versions 2.8.4rel.1, 2.8.5dev.8, 2.8.3rel.1 and 2.8.2rel.1. It is not known whether other versions are affected.

*** Links 0.9.6 and ELinks have also been reported as being vulnerable. Some versions of Links and ELinks URL encode space characters so an attacker needs to use tab characters, instead of spaces, to exploit the issue on these browsers.

- 漏洞利用

The following exploit has been provided by Ulf Harnhammar &lt;ulfh@update.uu.se&gt;:

- 解决方案

ELinks 0.4pre15 is not vulnerable to this issue. Users of ELinks are urged to download and install the newest version of ELinks:

Conectiva has released an advisory (CLA-2003:720) to address this issue. Please see the attached advisory for further details regarding applying fixes. Fixes are linked below.

SCO has released a security advisory. Fixes for OpenLinux are available.

The Lynx patch is now available at a different location.

Debian has released an advisory (Debian Security Advisory DSA-210-1) which contains fixes. Please see the attached advisory for more details on obtaining fixes.

Red Hat has release advisory RHSA-2003:029-06 to address this issue.

OpenPKG has made fixes versions of their lynx package available. See referenced advisory for more details.

Sun has released a fix for Sun Linux 5.0.6.

The following fixes are available:


ELinks ELinks 0.2.4

ELinks ELinks 0.3.2

University of Kansas Lynx 2.8.3

University of Kansas Lynx 2.8.4

University of Kansas Lynx 2.8.4 rel.1

University of Kansas Lynx 2.8.5 dev.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站