[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
security: url-cookies file stored world-readable, allowing session hijac
From: |
Daniel Kahn Gillmor |
Subject: |
security: url-cookies file stored world-readable, allowing session hijacking |
Date: |
Sun, 02 Dec 2007 13:58:38 -0500 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) |
I just noticed that ~/.url/cookies was world-readable, and its parent
directory was world-readable, exposing the cookies emacs held to the
outside world, which allows for a session hijacking attack.
To replicate (i'm sure there are other ways) i did:
From a clean test account (no ~/.emacs file, no ~/.emacs.d directory,
and no ~/.url directory), launch gnus (M-x gnus). Then "G m" to make
a new group named "test.cookies" with backend "nnrss". I then visited
the group, and gave it the URL of an RSS feed i publish which offers
cookies [0].
I then switched to the *scratch* buffer, and evaluated:
(url-cookie-write-file)
t
As a result, the following directory and file were created:
0 xxx@monkey:~$ ls -la ~/.url
total 12
drwxr-xr-x 2 xxx xxx 4096 2007-12-02 13:49 .
drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 ..
-rw-r--r-- 1 xxx xxx 372 2007-12-02 13:49 cookies
0 xxx@monkey:~$
Since that cookies file is world-readable (and the directory that it's
in is world-readable), someone could potentially hijack any session
maintained by my emacs instance. It appears to also work on cookies
sent from secure sites. This is a security flaw, and should be fixed.
I'm sorry that i don't know elisp well enough to offer a patch to
/usr/share/emacs/22.1/lisp/url/url-cookie.el.gz
but i suspect that's where it needs to be fixed (at least that appears
to be the suspect file on a debian system).
Thanks for developing and maintaining emacs!
Regards,
--dkg
PS i'm not on this list at the moment, so Cc'ing responses to me would
be appreciated.
In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
of 2007-11-09 on security.skolelinux.no, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10300000
configured using `configure '--build=i486-linux-gnu' '--host=i486-linux-gnu'
'--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib'
'--localstatedir=/var/lib' '--infodir=/usr/share/info'
'--mandir=/usr/share/man' '--with-pop=yes'
'--enable-locallisppath=/etc/emacs22:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/share/emacs/22.1/leim'
'--with-x=yes' '--with-x-toolkit=athena' '--with-toolkit-scroll-bars'
'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -g
-O2''
[0]
http://cmrg.fifthhorseman.net/timeline?ticket=on&ticket_details=on&changeset=on&wiki=on&max=50&daysback=90&format=rss
pgprmm1rPrEYO.pgp
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- security: url-cookies file stored world-readable, allowing session hijacking,
Daniel Kahn Gillmor <=