CVE-2002-1405

Lynx <2.8.4 - CRLF Injection

Title source: llm

Description

CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Ulf Harnhammar · perlremotelinux

https://www.exploit-db.com/exploits/21722

View Code ZIP pw:eip

References (10)

[Various Sources] http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:023

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2003-030.html

[Various Sources] http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt

[Patch, Vendor Advisory] http://www.iss.net/security_center/static/9887.php

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2003-029.html

[Mailing List] http://marc.info/?l=bugtraq&m=103003793418021&w=2

[Mailing List] http://marc.info/?l=bugtraq&m=102978118411977&w=2

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/5499

[Various Sources] ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-049.0.txt

[Patch, Vendor Advisory] http://www.debian.org/security/2002/dsa-210

Scores

EPSS 0.1312

EPSS Percentile 94.1%

Details

Status published

Products (9)

elinks/elinks 0.2.4

elinks/elinks 0.3.2

links/links 0.96

university_of_kansas/lynx 2.8.2_rel1

university_of_kansas/lynx 2.8.3

university_of_kansas/lynx 2.8.3_rel1

university_of_kansas/lynx 2.8.4

university_of_kansas/lynx 2.8.4_rel1

university_of_kansas/lynx 2.8.5_dev8

Published Feb 19, 2003

Tracked Since Feb 18, 2026