security: url-cookies file stored world-readable, allowing session hijac

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

security: url-cookies file stored world-readable, allowing session hijac

From:	Daniel Kahn Gillmor
Subject:	security: url-cookies file stored world-readable, allowing session hijacking
Date:	Sun, 02 Dec 2007 13:58:38 -0500
User-agent:	Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)

I just noticed that ~/.url/cookies was world-readable, and its parent
directory was world-readable, exposing the cookies emacs held to the
outside world, which allows for a session hijacking attack.

To replicate (i'm sure there are other ways) i did:

From a clean test account (no ~/.emacs file, no ~/.emacs.d directory,
and no ~/.url directory), launch gnus (M-x gnus).  Then "G m" to make
a new group named "test.cookies" with backend "nnrss".  I then visited
the group, and gave it the URL of an RSS feed i publish which offers
cookies [0].

I then switched to the *scratch* buffer, and evaluated:

(url-cookie-write-file)
t

As a result, the following directory and file were created:

0 xxx@monkey:~$ ls -la ~/.url
total 12
drwxr-xr-x  2 xxx xxx 4096 2007-12-02 13:49 .
drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 ..
-rw-r--r--  1 xxx xxx  372 2007-12-02 13:49 cookies
0 xxx@monkey:~$ 

Since that cookies file is world-readable (and the directory that it's
in is world-readable), someone could potentially hijack any session
maintained by my emacs instance.  It appears to also work on cookies
sent from secure sites.  This is a security flaw, and should be fixed.

I'm sorry that i don't know elisp well enough to offer a patch to

 /usr/share/emacs/22.1/lisp/url/url-cookie.el.gz

but i suspect that's where it needs to be fixed (at least that appears
to be the suspect file on a debian system).

Thanks for developing and maintaining emacs!

Regards,

        --dkg

PS i'm not on this list at the moment, so Cc'ing responses to me would
be appreciated.


In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
 of 2007-11-09 on security.skolelinux.no, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10300000
configured using `configure  '--build=i486-linux-gnu' '--host=i486-linux-gnu' 
'--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib' 
'--localstatedir=/var/lib' '--infodir=/usr/share/info' 
'--mandir=/usr/share/man' '--with-pop=yes' 
'--enable-locallisppath=/etc/emacs22:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/share/emacs/22.1/leim'
 '--with-x=yes' '--with-x-toolkit=athena' '--with-toolkit-scroll-bars' 
'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -g 
-O2''


[0] 
http://cmrg.fifthhorseman.net/timeline?ticket=on&ticket_details=on&changeset=on&wiki=on&max=50&daysback=90&format=rss

pgprmm1rPrEYO.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

security: url-cookies file stored world-readable, allowing session hijacking, Daniel Kahn Gillmor <=

Prev by Date: revert-buffer fails on cvs controlled .tex file
Next by Date: Menu item Describe Coding System (Briefly) should not have ellipsis
Previous by thread: revert-buffer fails on cvs controlled .tex file
Next by thread: Menu item Describe Coding System (Briefly) should not have ellipsis
Index(es):
- Date
- Thread