lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV Lynx/MSIE denial-of-service

From: Klaus Weide
Subject: Re: LYNX-DEV Lynx/MSIE denial-of-service
Date: Tue, 11 Mar 1997 18:21:38 -0600 (CST) 
On Tue, 11 Mar 1997, Alan Cox wrote:

> > The CHARGEN service has other security implications and should be turned
> > off in normal system operation.
> 
> Indeed.

Although CERT Advisory CA-96.01 seems to be mostly concerned with UDP
services.

> Lynx ought to have a sanity limit on page sizes 

If you count input bytes in SGML_character, and similarly in
HTPlain_put_character and HTPlain_write, and compare against a
configured DOCUMENT_MAX_SIZE an each call, you should catch the "normal"
cases where Lynx wants to display a document.  It wouldn't catch the
output of some internal gateways which call HTML.c functions directly,
but tricking those into generating an endless stream of bytes should be at
least a bit more difficult.  It also wouldn't catch D)ownloads and other
cases where Lynx writes incoming data to disk.

> and also on opening device
> files

It's useful in some cases; try something like 

 [some command] | lynx /dev/fd/0 ...

   Klaus

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]