Date: Wed, 30 Aug 2000 19:00:53 -0400 From: Peter W <peterw@USA.NET> Subject: Re: Helix Code Security Advisory - go-gnome pre-installer To: BUGTRAQ@SECURITYFOCUS.COM At 6:08pm Aug 29, 2000, Helix Code, Inc. wrote: > The go-gnome pre-installer has been updated on the main Helix Code mirror and > go-gnome.com. This new version fixes this vulnerability by storing files in > /var/cache/helix-install, which is writable only by root. mkdir -p -m 644 $cachedir This works since the script runs as root, but didn't you mean 0755 ? [0] > Copyright (c) 2000 Helix Code, Inc. Thanks for addressing the issue of why the lynx hack is a bad idea. And why you don't sign packages. Next up, instructions for configuring Squid and Apache proxy servers to compromise any workstation that tries to get the lynx hack script... any takers? Bonus points for configs that only affect requests where the User-Agent begins with "Lynx". Extra credit for ipchains and ipfilter rules to redirect requests for spidermonkey.helixcode.com to such a proxy for victims behind NAT firewalls who think they're not using Web proxies. Tip of the hat to Neil W. Van Dyke, who opened a grave bug on the lynx hack back in July: http://bugs.helixcode.com/db/14/1472.html -Peter [0] BTW, also note that this script can only be run once on non-Debian boxes, since it bails if $cachedir exists.