[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
address@hidden: security: url-cookies file stored world-readable, allowi
From: |
Richard Stallman |
Subject: |
address@hidden: security: url-cookies file stored world-readable, allowing session hijacking] |
Date: |
Mon, 03 Dec 2007 13:43:23 -0500 |
Can someone please DTRT in Emacs 22, then ack?
------- Start of forwarded message -------
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
autolearn=failed version=3.1.0
To: address@hidden
From: Daniel Kahn Gillmor <address@hidden>
Date: Sun, 02 Dec 2007 13:58:38 -0500
Message-ID: <address@hidden>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
Subject: security: url-cookies file stored world-readable,
allowing session hijacking
- --=-=-=
Content-Transfer-Encoding: quoted-printable
I just noticed that ~/.url/cookies was world-readable, and its parent
directory was world-readable, exposing the cookies emacs held to the
outside world, which allows for a session hijacking attack.
To replicate (i'm sure there are other ways) i did:
From=20a clean test account (no ~/.emacs file, no ~/.emacs.d directory,
and no ~/.url directory), launch gnus (M-x gnus). Then "G m" to make
a new group named "test.cookies" with backend "nnrss". I then visited
the group, and gave it the URL of an RSS feed i publish which offers
cookies [0].
I then switched to the *scratch* buffer, and evaluated:
(url-cookie-write-file)
t
As a result, the following directory and file were created:
0 address@hidden:~$ ls -la ~/.url
total 12
drwxr-xr-x 2 xxx xxx 4096 2007-12-02 13:49 .
drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 ..
=2Drw-r--r-- 1 xxx xxx 372 2007-12-02 13:49 cookies
0 address@hidden:~$=20
Since that cookies file is world-readable (and the directory that it's
in is world-readable), someone could potentially hijack any session
maintained by my emacs instance. It appears to also work on cookies
sent from secure sites. This is a security flaw, and should be fixed.
I'm sorry that i don't know elisp well enough to offer a patch to
/usr/share/emacs/22.1/lisp/url/url-cookie.el.gz
but i suspect that's where it needs to be fixed (at least that appears
to be the suspect file on a debian system).
Thanks for developing and maintaining emacs!
Regards,
--dkg
PS i'm not on this list at the moment, so Cc'ing responses to me would
be appreciated.
In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
of 2007-11-09 on security.skolelinux.no, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10300000
configured using `configure '--build=3Di486-linux-gnu' '--host=3Di486-linu=
x-gnu' '--prefix=3D/usr' '--sharedstatedir=3D/var/lib' '--libexecdir=3D/usr=
/lib' '--localstatedir=3D/var/lib' '--infodir=3D/usr/share/info' '--mandir=
=3D/usr/share/man' '--with-pop=3Dyes' '--enable-locallisppath=3D/etc/emacs2=
2:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/s=
ite-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/sh=
are/emacs/22.1/leim' '--with-x=3Dyes' '--with-x-toolkit=3Dathena' '--with-t=
oolkit-scroll-bars' 'build_alias=3Di486-linux-gnu' 'host_alias=3Di486-linux=
- -gnu' 'CFLAGS=3D-DDEBIAN -g -O2''
[0] http://cmrg.fifthhorseman.net/timeline?ticket=3Don&ticket_details=3Don&=
changeset=3Don&wiki=3Don&max=3D50&daysback=3D90&format=3Drss
- --=-=-=
Content-Type: application/pgp-signature
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQIVAwUBR1MAZczS7ZTSFznpAQKUhA/+OOg+wf8TMsoSaB6Lpg+YrFteY9F5WSyo
zy0RiR/7MwgJmmMYtB0CovpXyBoq4EGoPGayJEWsSEiPh2RB4RrVNfuZz5tQ5Hzp
MPKQKkdHht3HbE1VhZItgR4PLUEa6ZFjZSKnaiqMUj5WEF3VmS7G9DGPaAM3LSPE
+EV8Lg4cJN74EcqDYQ3PyOu73yzZin26/z694S7amHVbTcvcTgftsuotioWs8Pcz
gEPKt+lxUPw7N6K1HcBE9hKBtgndNxBfHAN/4IwyijhELRb7uanb3c0DZ0meGK8f
d1+YQKd5LieXJ6uQpHrBTqMoGzDElBrqgW7PLmTIOS9ImRlsm4ARlLnRdvW7Zj2i
pWMlby4GeGSoYkLKfSCQ40C+vkedMm+JJQsKrkLULD51uq9jgsJp7tFfbhiwBHVu
K2PdhSbZ0Pl/aC9H/4DhSIU9PP4+TwNrE2ufI2z/i+kFCxlZIbNVgVS6bKFwBU0T
MQjsJauIHStqNfTiVdCUFdb6sdnloo89v0OxLMqDUzYFWbgd2zo4biy8npS0xMj3
LeztZzMCCOvA+H5jVN6FLn4B3ic6eahL2/N3TBSy50H1l/B8jlhg1fiNq9ShcCqd
z0Od87CPuyOrO41ypYXdn9TTEBD/83m8V55VT+Tq/bXKoEOwlBkTFC1+0jmH/+sy
x/+GF7p65cg=
=IUb/
- -----END PGP SIGNATURE-----
- --=-=-=--
------- End of forwarded message -------
- address@hidden: security: url-cookies file stored world-readable, allowing session hijacking],
Richard Stallman <=