[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: address@hidden: security: url-cookies file stored world-readable, al
From: |
Daniel Kahn Gillmor |
Subject: |
Re: address@hidden: security: url-cookies file stored world-readable, allowing session hijacking] |
Date: |
Mon, 10 Dec 2007 01:19:16 -0500 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) |
On Sat 2007-12-08 20:38:09 -0500, Glenn Morris wrote:
> dkg wrote:
>
>> I just noticed that ~/.url/cookies was world-readable, and its parent
>> directory was world-readable, exposing the cookies emacs held to the
>> outside world, which allows for a session hijacking attack.
>
> I can fix this. Should ~/.url be private, or just certain files within
> it (cookies, history, what else)?
i would suspect that history should also be private -- URLs visited
often hold information that you might not want others to see. i'm not
sure what else gets placed in that directory, so i don't know if the
directory itself should be mode 0700 or not.
Thanks for the followup,
--dkg
pgp_axrjPIwwj.pgp
Description: PGP signature