Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200511-09
HistoryNov 13, 2005 - 12:00 a.m.

Lynx: Arbitrary command execution

2005-11-1300:00:00
Gentoo Foundation
security.gentoo.org
10

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.018 Low

EPSS

Percentile

88.2%

JSON

Background

Lynx is a fully-featured WWW client for users running cursor-addressable, character-cell display devices such as vt100 terminals and terminal emulators.

Description

iDefense labs discovered a problem within the feature to execute local cgi-bin programs via the “lynxcgi:” URI handler. Due to a configuration error, the default settings allow websites to specify commands to run as the user running Lynx.

Impact

A remote attacker can entice a user to access a malicious HTTP server, causing Lynx to execute arbitrary commands.

Workaround

Disable “lynxcgi” links by specifying the following directive in lynx.cfg:

TRUSTED_LYNXCGI:none

Resolution

All Lynx users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-client/lynx-2.8.5-r2"
OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-client/lynx< 2.8.5-r2UNKNOWN

Related

nessus 7
nvd 2
centos 2
openvas 4
redhat 1
debiancve 2
ubuntucve 2
cvelist 2
securityvulns 1
cve 2
gentoo 1
prion 1
nessus
nessus
Fedora Core 3 : lynx-2.8.5-18.0.2 (2005-1078)
2005-11-15 00:00:00
GLSA-200511-09 : Lynx: Arbitrary command execution
2005-11-15 00:00:00
Mandrake Linux Security Advisory : lynx (MDKSA-2005:211)
2006-01-15 00:00:00
nvd
nvd
CVE-2005-2929
2005-11-18 06:03:00
CVE-2008-4690
2008-10-22 18:00:01
centos
centos
lynx security update
2005-11-12 01:33:47
lynx security update
2005-11-13 22:59:14
openvas
openvas
Gentoo Security Advisory GLSA 200511-09 (lynx)
2008-09-24 00:00:00
Gentoo Security Advisory GLSA 200511-09 (lynx)
2008-09-24 00:00:00
Gentoo Security Advisory GLSA 200909-15 (lynx)
2009-09-15 00:00:00
redhat
redhat
(RHSA-2005:839) lynx security update
2005-11-11 00:00:00
debiancve
debiancve
CVE-2005-2929
2005-11-18 11:00:00
CVE-2008-4690
2008-10-22 18:00:01
ubuntucve
ubuntucve
CVE-2005-2929
2005-11-18 00:00:00
CVE-2008-4690
2008-10-22 00:00:00
cvelist
cvelist
CVE-2005-2929
2005-11-18 11:00:00
CVE-2008-4690
2008-10-22 17:00:00
securityvulns
securityvulns
[Full-disclosure] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx Command Injection Vulnerability
2005-11-11 00:00:00
cve
cve
CVE-2005-2929
2005-11-18 11:00:00
CVE-2008-4690
2008-10-22 18:00:01
gentoo
gentoo
Lynx: Arbitrary command execution
2009-09-12 00:00:00
prion
prion
Sql injection
2008-10-22 18:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.018 Low

EPSS

Percentile

88.2%

JSON
Related for GLSA-200511-09
nessus7nvd2centos2openvas4redhat1debiancve2ubuntucve2cvelist2securityvulns1cve2gentoo1prion1