Vulnerabilities > CVE-2002-1405
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | 1 | |
| Application | 6 |
Exploit-Db
| description | Lynx 2.8.x Command Line URL CRLF Injection Vulnerability. CVE-2002-1405. Remote exploit for linux platform |
| id | EDB-ID:21722 |
| last seen | 2016-02-02 |
| modified | 2002-08-19 |
| published | 2002-08-19 |
| reporter | Ulf Harnhammar |
| source | https://www.exploit-db.com/download/21722/ |
| title | Lynx 2.8.x Command Line URL CRLF Injection Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-210.NASL description lynx (a text-only web browser) did not properly check for illegal characters in all places, including processing of command line options, which could be used to insert extra HTTP headers in a request. For Debian GNU/Linux 2.2/potato this has been fixed in version 2.8.3-1.1 of the lynx package and version 2.8.3.1-1.1 of the lynx-ssl package. For Debian GNU/Linux 3.0/woody this has been fixed in version 2.8.4.1b-3.2 of the lynx package and version 1:2.8.4.1b-3.1 of the lynx-ssl package. last seen 2020-06-01 modified 2020-06-02 plugin id 15047 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15047 title Debian DSA-210-1 : lynx - CRLF injection code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-210. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15047); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-1405"); script_bugtraq_id(5499); script_xref(name:"DSA", value:"210"); script_name(english:"Debian DSA-210-1 : lynx - CRLF injection"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "lynx (a text-only web browser) did not properly check for illegal characters in all places, including processing of command line options, which could be used to insert extra HTTP headers in a request. For Debian GNU/Linux 2.2/potato this has been fixed in version 2.8.3-1.1 of the lynx package and version 2.8.3.1-1.1 of the lynx-ssl package. For Debian GNU/Linux 3.0/woody this has been fixed in version 2.8.4.1b-3.2 of the lynx package and version 1:2.8.4.1b-3.1 of the lynx-ssl package." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-210" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected lynx, and lynx-ssl packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lynx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lynx-ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"lynx", reference:"2.8.3-1.1")) flag++; if (deb_check(release:"2.2", prefix:"lynx-ssl", reference:"2.8.3.1-1.1")) flag++; if (deb_check(release:"3.0", prefix:"lynx", reference:"2.8.4.1b-3.2")) flag++; if (deb_check(release:"3.0", prefix:"lynx-ssl", reference:"2.8.4.1b-3.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-030.NASL description Updated Lynx packages fix an error in the way Lynx parses its command line arguments which can lead to faked headers being sent to a Web server. Lynx is a character-cell Web browser, suitable for running on terminals such as the VT100. Lynx constructs its HTTP queries from the command line (or WWW_HOME environment variable) without regard to special characters such as carriage returns or linefeeds. When given a URL containing such special characters, extra headers could be inserted into the request. This could cause scripts using Lynx to fetch data from the wrong site from servers with virtual hosting. Users of Lynx are advised to upgrade to these erratum packages which contain a patch to correct this isssue. last seen 2020-06-01 modified 2020-06-02 plugin id 12357 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12357 title RHEL 2.1 : lynx (RHSA-2003:030) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:030. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12357); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-1405"); script_xref(name:"RHSA", value:"2003:030"); script_name(english:"RHEL 2.1 : lynx (RHSA-2003:030)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated Lynx packages fix an error in the way Lynx parses its command line arguments which can lead to faked headers being sent to a Web server. Lynx is a character-cell Web browser, suitable for running on terminals such as the VT100. Lynx constructs its HTTP queries from the command line (or WWW_HOME environment variable) without regard to special characters such as carriage returns or linefeeds. When given a URL containing such special characters, extra headers could be inserted into the request. This could cause scripts using Lynx to fetch data from the wrong site from servers with virtual hosting. Users of Lynx are advised to upgrade to these erratum packages which contain a patch to correct this isssue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-1405" ); # http://www.mail-archive.com/[email protected]/msg08897.html script_set_attribute( attribute:"see_also", value:"https://www.mail-archive.com/[email protected]/msg08897.html" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:030" ); script_set_attribute(attribute:"solution", value:"Update the affected lynx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:lynx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/02/19"); script_set_attribute(attribute:"patch_publication_date", value:"2003/02/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:030"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"lynx-2.8.4-18.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lynx"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-023.NASL description A vulnerability was discovered in lynx, a text-mode web browser. The HTTP queries that lynx constructs are from arguments on the command line or the $WWW_HOME environment variable, but lynx does not properly sanitize special characters such as carriage returns or linefeeds. Extra headers can be inserted into the request because of this, which can cause scripts that use lynx to fetch data from the wrong site from servers that use virtual hosting. last seen 2020-06-01 modified 2020-06-02 plugin id 14008 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14008 title Mandrake Linux Security Advisory : lynx (MDKSA-2003:023) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:023. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14008); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1405"); script_xref(name:"MDKSA", value:"2003:023"); script_name(english:"Mandrake Linux Security Advisory : lynx (MDKSA-2003:023)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in lynx, a text-mode web browser. The HTTP queries that lynx constructs are from arguments on the command line or the $WWW_HOME environment variable, but lynx does not properly sanitize special characters such as carriage returns or linefeeds. Extra headers can be inserted into the request because of this, which can cause scripts that use lynx to fetch data from the wrong site from servers that use virtual hosting." ); script_set_attribute(attribute:"solution", value:"Update the affected lynx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lynx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/02/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"lynx-2.8.5-0.10mdk.dev.8", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"lynx-2.8.5-0.10mdk.dev.8", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"lynx-2.8.5-0.10mdk.dev.8", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"lynx-2.8.5-0.10mdk.dev.8", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"lynx-2.8.5-0.10mdk.dev.8", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
| advisories |
|
References
- ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-049.0.txt
- http://marc.info/?l=bugtraq&m=102978118411977&w=2
- http://marc.info/?l=bugtraq&m=103003793418021&w=2
- http://www.debian.org/security/2002/dsa-210
- http://www.iss.net/security_center/static/9887.php
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:023
- http://www.redhat.com/support/errata/RHSA-2003-029.html
- http://www.redhat.com/support/errata/RHSA-2003-030.html
- http://www.securityfocus.com/bid/5499
- http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt