I am running a BBS that is largely composed of bash scripts.
Just by chance, I happened to enter Lynx today and hit "/" and hit ENTER. Imagine my horror when it spit out the contents of my root directory! I do this in Windows all the time (accessing local files in the browser), but it never occurred to me to think about that here.
Ironically, there is a lynx flag to disable NON-localhost locations, but what I need to do here is the other way around. There are sensitive database passwords and other protected info on the local machine. I've heard of several similar machines getting pawned in this manner, by exploiting this vulnerability with Lynx running on a remote machine, in this case the BBS.
I tried to work around this by setting up an if-else statement. Unfortunately, typing "/" in for URL still works.
read -r -p "Web Address: " url
if [ "${url:0:4}" == "http" ] || [ "${url:0:5}" == "https" ]
then
lynx $url -accept_all_cookies
else
$url="http://$url"
lynx $url -accept_all_cookies
fi
Given the nature of this, I want to make sure we have a bulletproof solution as this is a production machine. Is there any way I can sanitize the user input reliably 100% of the time to prevent accessing local files?
Accessing localhost and 127.0.0.1 are fine; unnecessary, but all that does is bring up the Apache Successfully installed page.
My thinking was:
This is somewhat difficult as when "/" is entered, Lynx seems to redirect it to a URL, whine, and then redirect it to a local URL:
Web Address: /
/home/com/file.sh: line 109: /=http:///: No such file or directory
/ directory (p1 of 2)
Current directory is /
And then it proceeds to dump out a list of my root directory.
However, I realize this won't be sufficient. Users can still type in the name of local files in the directory. I typed in the name of a shell script in the directory from which this script is called, and Lynx spit out the contents of the bash script.
On top of that, I have the "go to" option in Lynx once a page has already been loaded to worry about! I can disable that like lynx $url -goto but would rather not if I can avoid it.
Disabling the web utility is not an option, so is there anyway to make this secure again?
After more testing, I've been able to come up with the following solution,
It's not pretty, but it does work without reducing functionality:
read -r -p "Web Address: " url
if [ "$url" == "" ]
then
lynx "https://analogfiles.ml" -accept_all_cookies -restrictions=bookmark,bookmark_exec,chdir,disk_save,dired_support,dotfiles,editor,exec,file_url,inside_ftp,lynxcfg_info,lynxcgi,mail,outside_telnet,print
elif [ "${url:0:1}" == "/" ] || [ "${url:0:1}" == "~" ] || [ "${url:0:7}" == "file://" ]
then
lynx "~http" -accept_all_cookies -restrictions=bookmark,bookmark_exec,chdir,disk_save,dired_support,dotfiles,editor,exec,file_url,inside_ftp,lynxcfg_info,lynxcgi,mail,outside_telnet,print
elif [ "${url:0:7}" == "http://" ] || [ "${url:0:8}" == "https://" ]
then
lynx $url -accept_all_cookies -restrictions=bookmark,bookmark_exec,chdir,disk_save,dired_support,dotfiles,editor,exec,file_url,inside_ftp,lynxcfg_info,lynxcgi,mail,outside_telnet,print
else
lynx "http://"$url -accept_all_cookies -restrictions=bookmark,bookmark_exec,chdir,disk_save,dired_support,dotfiles,editor,exec,file_url,inside_ftp,lynxcfg_info,lynxcgi,mail,outside_telnet,print
fi
The first part handles the homepage (which I've set to one of a number of Lynx-friendly sites). With the restrictions I have, pressing ENTER no longer results in a homepage working.
The second part prevents Lynx from even receiving a URL that could be considered local. This is because even with the restrictions enabled via flags, Lynx does not put them into effect for the given URL! This means if Lynx receives a URL that is local to the machine, such as file://home/, it will allow it, even if disabled by flags. I created an error message file called http but users simply see an FTP error message, which is OK with me.
Otherwise, if the URL is missing http:// or https://, I tack http:// on.
The restrictions you see here can be viewed by typing lynx -restrictions which provides more information.
The most relevant restriction you see is dired_support which is what disallows navigating to local files (the other restrictions are not directly relevant, but I saw no reason to allow them so for security I disallowed them). This means I can keep allowing GoTo to be used, without worrying that local files can be accessed that way, circumventing the if-else checks I use here. In fact, the if/else checks are only necessary because Lynx fails to properly apply restrictions for the first URL accessed from the shell script.
In other words, I have to manually prevent local files from being accessed with my if-else statements, and then trust Lynx will disallow access to local files thereon.