Rapid7 Vulnerability & Exploit Database

RHSA-2003:029: Updated lynx packages fix CRLF injection vulnerability

Back to Search

RHSA-2003:029: Updated lynx packages fix CRLF injection vulnerability

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
02/19/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated lynx packages are available that fix an error in the way lynx parses its command line arguments, which can lead to faked headers being sent to a web server. [Updated 16 April 2003] Added packages for Red Hat Linux on IBM iSeries and pSeries systems.

Lynx is a character-cell Web browser, suitable for running on terminals such as VT100. Lynx constructs its HTTP queries from the command line (or WWW_HOME environment variable) without regard to special characters such as carriage returns or linefeeds. When given a URL containing such special characters, extra headers could be inserted into the request. This could cause scripts using lynx to fetch data from the wrong site from servers with virtual hosting. Users of Lynx are advised to upgrade to these erratum packages, which contain a patch to correct this isssue.

Solution(s)

  • redhat-upgrade-lynx

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;