Hmm - another message that apparently got dropped by the mailing list, so I am re-forwarding the forwarded response. Forgot to cc the first time anyway, which makes the advice at the beginning a bit pointless... ---------- Forwarded message ---------- Date: Fri, 17 Mar 2000 12:39:38 -0600 (CST) From: Klaus Weide <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: lynx 2.8.x - 'special URLs' anti-spoofing protection is weak (fwd) [ forwarding to lynx-dev - will respond later ] Servio: please either temporarily subscribe to lynx-dev (see <http://www.crl.com/~subir/lynx/lynx_help/lynx-dev.html>), or keep checking the cureent months's archive (<http://www.flora.org/lynx-dev/html/month032000/>), in order to not miss followup responses. Klaus ---------- Forwarded message ---------- Date: Fri, 17 Mar 2000 13:09:24 -0500 From: Servio Medina <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: lynx 2.8.x - 'special URLs' anti-spoofing protection is weak Klaus, Thank you for the reply. I am following up on a post from Michael Zalewski to the Bugtraq mailing list on Nov. 17, 1999 which spawned a thread in the lynx-dev mailing list. One post (submitted by yourself) states "Yes, there are two nasties that he found. And he's right about both of them." This together with the FreeBSD Advisory (previous email to you) both caught my attention and I started digging for more information. However, I was unable to ascertain whether this was necessary to fix, and if so, the nature of the correction(s) : where to obtain, who should obtain, etc. I would be glad to post directly to the lynx-dev mailing list and if there is anything else I can provide that may assist, please do not hesitate to ask. Again, I am simply attempting to understand the nature of what appears to be a vulnerability in Lynx (ah, Lynx - my first browse was via lynx back in 1992 on SunOS 4.1...prior to mosaic; yep, gone are the days of archie, veronica, mosaic...but not Lynx) though I am not directly affected by this nor is the company for which I work. Thank you Klaus. Let me know how I should proceed to inquire further and/or obtain further information regarding this issue. Thanks again. Servio Information Security Analyst www.idefense.com -----Original Message----- From: Klaus Weide [mailto:[EMAIL PROTECTED]] Sent: Friday, March 17, 2000 12:57 PM To: Servio Medina Subject: Re: lynx 2.8.x - 'special URLs' anti-spoofing protection is weak On Fri, 17 Mar 2000, Servio Medina wrote: > Klaus, > > I just scanned through the posts that are archived at > http://www.flora.org/lynx-dev/html/month111999/ in order to obtain further [...] > > I hope to hear from you soon. > Servio > > Servio Medina - [EMAIL PROTECTED] > Information Security Analyst > www.idefense.com I'd like to reply to the lynx-dev list (cc'd to you if you prefer). Any objection to quoting your message in full? In general, I would like all discussion to take place on the mailing list. As a preliminary response - I welcome you, FreeBSD, whoever looking into this. But more concrete questions would be helpful - including specific URLs that mention problems - rather than a general bait. For one thing, I don't know which Lynx version you/FreeBSD are concerned with. In case of a specific setup, the compile-time options chosen (./configure flags) would also be relevant. Klaus
