• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Lynx Command Line URL CRLF Injection Vulnerability

Severity: HIGH

Description:

Lynx is a freely distributable, text-based WWW client. It is available for use on various operating systems and platforms including Linux and Unix variant and Microsoft Windows operating environments.

A CRLF injection vulnerability has been reported for Lynx that may allow an attacker to include extra HTTP headers when viewing web pages. If Lynx is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request.

As CRLF is used as a delimiter between headers under the HTTP protocol, exploitation of this vulnerability will result in additional headers being included in the HTTP request.

Injection of a 'Host' header may cause the request to be serviced as if made to a different domain, if the server in question supports multiple hosts. It may also be possible to inject arbitrary cookie data.

It is still possible for attackers to exploit this vulnerability even if the '-realm' and '-restrictions=useragen' options are used. Reportedly, it is also possible for an attacker to contact other type of servers, including POP3 servers and MTAs (Mail Transfer Agents).

This vulnerability has been reported for Lynx versions 2.8.4rel.1, 2.8.5dev.8, 2.8.3rel.1 and 2.8.2rel.1. It is not known whether other versions are affected.

*** Links 0.9.6 and ELinks have also been reported as being vulnerable. Some versions of Links and ELinks URL encode space characters so an attacker needs to use tab characters, instead of spaces, to exploit the issue on these browsers.

Affected Products:

• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Server 3.1.1
• Caldera OpenLinux Workstation 3.1.0
• Caldera OpenLinux Workstation 3.1.1
• Conectiva Linux 7.0.0
• Conectiva Linux 8.0.0
• Debian Linux 2.2.0
• Debian Linux 3.0.0
• ELinks ELinks 0.2.4
• ELinks ELinks 0.3.2
• Links Links 0.96.0
• MandrakeSoft Linux Mandrake 7.2.0
• MandrakeSoft Linux Mandrake 8.0.0
• MandrakeSoft Linux Mandrake 8.0.0 ppc
• MandrakeSoft Linux Mandrake 8.1.0
• MandrakeSoft Linux Mandrake 8.1.0 ia64
• MandrakeSoft Linux Mandrake 8.2.0
• MandrakeSoft Linux Mandrake 8.2.0 ppc
• MandrakeSoft Linux Mandrake 9.0.0
• MandrakeSoft Multi Network Firewall 2.0.0
• MandrakeSoft Single Network Firewall 7.2.0
• RedHat Linux for iSeries 7.1.0
• RedHat Linux for pSeries 7.1.0
• Sun Linux 5.0.6
• Trustix Secure Linux 1.1.0
• Trustix Secure Linux 1.2.0
• Trustix Secure Linux 1.5.0
• University of Kansas Lynx 2.8.2 rel.1
• University of Kansas Lynx 2.8.3
• University of Kansas Lynx 2.8.3 rel.1
• University of Kansas Lynx 2.8.4
• University of Kansas Lynx 2.8.4 rel.1
• University of Kansas Lynx 2.8.5 dev.8

References:

• Elinks: Elinks Home Page
• Links: Links Homepage
• Lynx: Lynx Homepage
• Red Hat: RHSA-2003:029-08 Updated lynx packages fix CRLF injection vulnerability
• Sun: Sun Alert ID: 55940

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.