Lynx 2.8.5, and other versions before 2.8.6dev.15, allows remote attackers to execute arbitrary commands via (1) lynxcgi:, (2) lynxexec, and (3) lynxprog links, which are not properly restricted in the default configuration in some environments.

The remote host is affected by the vulnerability described in GLSA-200909-15 (Lynx: Arbitrary command execution)

    Clint Ruoho reported that the fix for CVE-2005-2929 (GLSA 200511-09)     only disabled the lynxcgi:// handler when not using the advanced mode.
  Impact :

    A remote attacker can entice a user to access a malicious HTTP server,     causing Lynx to execute arbitrary commands. NOTE: The advanced mode is     not enabled by default. Successful exploitation requires the     'lynxcgi://' protocol to be registered with lynx on the victim's     system.
  Workaround :

    There is no known workaround at this time.

An updated lynx package that corrects a security flaw is now available.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Lynx is a text-based Web browser.

An arbitrary command execute bug was found in the lynx 'lynxcgi:' URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2929 to this issue.

Users should update to this erratum package, which contains a backported patch to correct this issue.

An arbitrary command execution vulnerability was discovered in the lynx 'lynxcgi:' URI handler. An attacker could create a web page that redirects to a malicious URL which could then execute arbitrary code as the user running lynx.

The updated packages have been patched to address this issue.

The remote host is affected by the vulnerability described in GLSA-200511-09 (Lynx: Arbitrary command execution)

    iDefense labs discovered a problem within the feature to execute     local cgi-bin programs via the 'lynxcgi:' URI handler. Due to a     configuration error, the default settings allow websites to specify     commands to run as the user running Lynx.
  Impact :

    A remote attacker can entice a user to access a malicious HTTP     server, causing Lynx to execute arbitrary commands.
  Workaround :

    Disable 'lynxcgi' links by specifying the following directive in     lynx.cfg:
    TRUSTED_LYNXCGI:none

This update fixes CVE-2005-2929 (lynxcgi: URLs).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is using Lynx as a web browser. This version of Lynx is vulnerable to a flaw where an attacker, convincing a Lynx user to browse a malicious URI, can execute arbitrary code on the remote system. 

ID	Name	Product	Family	Severity
40962	GLSA-200909-15 : Lynx: Arbitrary command execution	Nessus	Gentoo Local Security Checks	critical
21872	CentOS 3 / 4 : lynx (CESA-2005:839)	Nessus	CentOS Local Security Checks	high
20444	Mandrake Linux Security Advisory : lynx (MDKSA-2005:211)	Nessus	Mandriva Local Security Checks	high
20208	RHEL 2.1 / 3 / 4 : lynx (RHSA-2005:839)	Nessus	Red Hat Local Security Checks	high
20196	GLSA-200511-09 : Lynx: Arbitrary command execution	Nessus	Gentoo Local Security Checks	high
20194	Fedora Core 4 : lynx-2.8.5-23.2 (2005-1079)	Nessus	Fedora Local Security Checks	high
20193	Fedora Core 3 : lynx-2.8.5-18.0.2 (2005-1078)	Nessus	Fedora Local Security Checks	high
3287	Lynx < 2.8.6 dev15 Arbitary Code Execution	Nessus Network Monitor	Web Clients	medium
800978	Lynx < 2.8.6 dev15 Arbitary Code Execution	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2005-2929

critical

Tenable Plugins

critical

high

high

high

high

high

high

medium

high