|
| From: | Naveen Albert |
| Subject: | [Lynx-dev] Possible more elegant fix for Lynx vulnerability? |
| Date: | Tue, 13 Oct 2020 06:49:51 -0500 |
| User-agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.9) Goanna/4.4 Interlink/52.9.7275a1 |
Hello,I've written up a whitepaper about a vulnerability with default Lynx configurations that could allow anonymous users potentially privilege escalate and compromise a machine: https://public.interlinked.us/3/lynx-filesystem
It may have been discovered before. I independently discovered it as have multiple others.It's been actively exploited in the wild before. This attack has been successfully used to completely compromise the root accounts of machines, and in one case resulted in irreversible data loss.
While it's not really a flaw with Lynx itself, but rather just poor security practices in general, as I'm sure you'll point out, I'm wondering if there's a more elegant way that this "loophole" with Lynx might get patched.
I'm sure this wasn't the intent, but Lynx is getting used this way and people's machines are getting p0wned, so it might be worth looking into - or maybe not. Just bringing this to your attention, if you feel it's worth addressing.
Thanks! NA
| [Prev in Thread] | Current Thread | [Next in Thread] |