* security: url-cookies file stored world-readable, allowing session hijacking
@ 2007-12-02 18:58 Daniel Kahn Gillmor
0 siblings, 0 replies; only message in thread
From: Daniel Kahn Gillmor @ 2007-12-02 18:58 UTC (permalink / raw)
To: bug-gnu-emacs
[-- Attachment #1: Type: text/plain, Size: 2555 bytes --]
I just noticed that ~/.url/cookies was world-readable, and its parent
directory was world-readable, exposing the cookies emacs held to the
outside world, which allows for a session hijacking attack.
To replicate (i'm sure there are other ways) i did:
From a clean test account (no ~/.emacs file, no ~/.emacs.d directory,
and no ~/.url directory), launch gnus (M-x gnus). Then "G m" to make
a new group named "test.cookies" with backend "nnrss". I then visited
the group, and gave it the URL of an RSS feed i publish which offers
cookies [0].
I then switched to the *scratch* buffer, and evaluated:
(url-cookie-write-file)
t
As a result, the following directory and file were created:
0 xxx@monkey:~$ ls -la ~/.url
total 12
drwxr-xr-x 2 xxx xxx 4096 2007-12-02 13:49 .
drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 ..
-rw-r--r-- 1 xxx xxx 372 2007-12-02 13:49 cookies
0 xxx@monkey:~$
Since that cookies file is world-readable (and the directory that it's
in is world-readable), someone could potentially hijack any session
maintained by my emacs instance. It appears to also work on cookies
sent from secure sites. This is a security flaw, and should be fixed.
I'm sorry that i don't know elisp well enough to offer a patch to
/usr/share/emacs/22.1/lisp/url/url-cookie.el.gz
but i suspect that's where it needs to be fixed (at least that appears
to be the suspect file on a debian system).
Thanks for developing and maintaining emacs!
Regards,
--dkg
PS i'm not on this list at the moment, so Cc'ing responses to me would
be appreciated.
In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
of 2007-11-09 on security.skolelinux.no, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10300000
configured using `configure '--build=i486-linux-gnu' '--host=i486-linux-gnu' '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib' '--localstatedir=/var/lib' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--with-pop=yes' '--enable-locallisppath=/etc/emacs22:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/share/emacs/22.1/leim' '--with-x=yes' '--with-x-toolkit=athena' '--with-toolkit-scroll-bars' 'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -g -O2''
[0] http://cmrg.fifthhorseman.net/timeline?ticket=on&ticket_details=on&changeset=on&wiki=on&max=50&daysback=90&format=rss
[-- Attachment #2: Type: application/pgp-signature, Size: 826 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-12-02 18:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-02 18:58 security: url-cookies file stored world-readable, allowing session hijacking Daniel Kahn Gillmor
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).