Re: address@hidden: security: url-cookies file stored world-readable, al

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: address@hidden: security: url-cookies file stored world-readable, al

From:	Daniel Kahn Gillmor
Subject:	Re: address@hidden: security: url-cookies file stored world-readable, allowing session hijacking]
Date:	Mon, 10 Dec 2007 01:19:16 -0500
User-agent:	Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)

On Sat 2007-12-08 20:38:09 -0500, Glenn Morris wrote:

> dkg wrote:
>
>> I just noticed that ~/.url/cookies was world-readable, and its parent
>> directory was world-readable, exposing the cookies emacs held to the
>> outside world, which allows for a session hijacking attack.
>
> I can fix this. Should ~/.url be private, or just certain files within
> it (cookies, history, what else)?

i would suspect that history should also be private -- URLs visited
often hold information that you might not want others to see.  i'm not
sure what else gets placed in that directory, so i don't know if the
directory itself should be mode 0700 or not.

Thanks for the followup,

       --dkg

pgp_axrjPIwwj.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

address@hidden: security: url-cookies file stored world-readable, allowing session hijacking], Richard Stallman, 2007/12/03
- Re: address@hidden: security: url-cookies file stored world-readable, allowing session hijacking], Glenn Morris, 2007/12/08
  - Re: address@hidden: security: url-cookies file stored world-readable, allowing session hijacking], Daniel Kahn Gillmor <=

Prev by Date: Re: comment-add
Next by Date: MAC_OS_X cpp macro?
Previous by thread: Re: address@hidden: security: url-cookies file stored world-readable, allowing session hijacking]
Next by thread: vc commit clears undo history
Index(es):
- Date
- Thread