A vulnerability in Lynx has recently been brought to the notice of the Lynx-Dev list. This vulnerability permits a user of lynx in anonymous mode to execute arbitrary commands on the machine running Lynx. All versions of Lynx through 2.7.1 are vulnerable. Administrators of public Lynxes are advised to disable g'oto on their lynxes till a final patch set to fix this problem is available. A preliminary patch can be found at: http://www.slcc.edu/lynx/fote/patches/ read the CHNAGES entry for June 20, 1997 for details.
This vulnerability can be exploited by anyone who can provide Lynx a carefully crafted URL. This can be done form the G'oto prompt, or by activating the URL on a world wide web page. The user can launch a shell on the machine running Lynx.
Lynx uses /tmp to store files during temporary downloads. The filename Lynx chooses can be predicted, and another user on the system can create a symbolic link with the filename, having the Lynx user over-ride any file they own with the contents of the download. If the sticky bit is set for /tmp, no user should be able to overwrite the contents of the download itself.
This security problem will be fixed in the next release of Lynx, where a separate directory will be used for downloads, perhaps /tmp/$USER or $HOME/.lynx