[dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking]

[dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking]

[Richard Stallman]

Can someone please DTRT in Emacs 22, then ack?

------- Start of forwarded message -------
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY 
	autolearn=failed version=3.1.0
To: bug-gnu-emacs@gnu.org
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 02 Dec 2007 13:58:38 -0500
Message-ID: <87tzn0vs81.fsf@squeak.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Subject: security: url-cookies file stored world-readable,
	allowing session hijacking

- --=-=-=
Content-Transfer-Encoding: quoted-printable

I just noticed that ~/.url/cookies was world-readable, and its parent
directory was world-readable, exposing the cookies emacs held to the
outside world, which allows for a session hijacking attack.

To replicate (i'm sure there are other ways) i did:

From=20a clean test account (no ~/.emacs file, no ~/.emacs.d directory,
and no ~/.url directory), launch gnus (M-x gnus).  Then "G m" to make
a new group named "test.cookies" with backend "nnrss".  I then visited
the group, and gave it the URL of an RSS feed i publish which offers
cookies [0].

I then switched to the *scratch* buffer, and evaluated:

(url-cookie-write-file)
t

As a result, the following directory and file were created:

0 xxx@monkey:~$ ls -la ~/.url
total 12
drwxr-xr-x  2 xxx xxx 4096 2007-12-02 13:49 .
drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 ..
=2Drw-r--r--  1 xxx xxx  372 2007-12-02 13:49 cookies
0 xxx@monkey:~$=20

Since that cookies file is world-readable (and the directory that it's
in is world-readable), someone could potentially hijack any session
maintained by my emacs instance.  It appears to also work on cookies
sent from secure sites.  This is a security flaw, and should be fixed.

I'm sorry that i don't know elisp well enough to offer a patch to

 /usr/share/emacs/22.1/lisp/url/url-cookie.el.gz

but i suspect that's where it needs to be fixed (at least that appears
to be the suspect file on a debian system).

Thanks for developing and maintaining emacs!

Regards,

        --dkg

PS i'm not on this list at the moment, so Cc'ing responses to me would
be appreciated.


In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
 of 2007-11-09 on security.skolelinux.no, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10300000
configured using `configure  '--build=3Di486-linux-gnu' '--host=3Di486-linu=
x-gnu' '--prefix=3D/usr' '--sharedstatedir=3D/var/lib' '--libexecdir=3D/usr=
/lib' '--localstatedir=3D/var/lib' '--infodir=3D/usr/share/info' '--mandir=
=3D/usr/share/man' '--with-pop=3Dyes' '--enable-locallisppath=3D/etc/emacs2=
2:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/s=
ite-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/sh=
are/emacs/22.1/leim' '--with-x=3Dyes' '--with-x-toolkit=3Dathena' '--with-t=
oolkit-scroll-bars' 'build_alias=3Di486-linux-gnu' 'host_alias=3Di486-linux=
- -gnu' 'CFLAGS=3D-DDEBIAN -g -O2''


[0] http://cmrg.fifthhorseman.net/timeline?ticket=3Don&ticket_details=3Don&=
changeset=3Don&wiki=3Don&max=3D50&daysback=3D90&format=3Drss

- --=-=-=
Content-Type: application/pgp-signature

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQIVAwUBR1MAZczS7ZTSFznpAQKUhA/+OOg+wf8TMsoSaB6Lpg+YrFteY9F5WSyo
zy0RiR/7MwgJmmMYtB0CovpXyBoq4EGoPGayJEWsSEiPh2RB4RrVNfuZz5tQ5Hzp
MPKQKkdHht3HbE1VhZItgR4PLUEa6ZFjZSKnaiqMUj5WEF3VmS7G9DGPaAM3LSPE
+EV8Lg4cJN74EcqDYQ3PyOu73yzZin26/z694S7amHVbTcvcTgftsuotioWs8Pcz
gEPKt+lxUPw7N6K1HcBE9hKBtgndNxBfHAN/4IwyijhELRb7uanb3c0DZ0meGK8f
d1+YQKd5LieXJ6uQpHrBTqMoGzDElBrqgW7PLmTIOS9ImRlsm4ARlLnRdvW7Zj2i
pWMlby4GeGSoYkLKfSCQ40C+vkedMm+JJQsKrkLULD51uq9jgsJp7tFfbhiwBHVu
K2PdhSbZ0Pl/aC9H/4DhSIU9PP4+TwNrE2ufI2z/i+kFCxlZIbNVgVS6bKFwBU0T
MQjsJauIHStqNfTiVdCUFdb6sdnloo89v0OxLMqDUzYFWbgd2zo4biy8npS0xMj3
LeztZzMCCOvA+H5jVN6FLn4B3ic6eahL2/N3TBSy50H1l/B8jlhg1fiNq9ShcCqd
z0Od87CPuyOrO41ypYXdn9TTEBD/83m8V55VT+Tq/bXKoEOwlBkTFC1+0jmH/+sy
x/+GF7p65cg=
=IUb/
- -----END PGP SIGNATURE-----
- --=-=-=--
------- End of forwarded message -------

Re: [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking]

[Glenn Morris]

> I just noticed that ~/.url/cookies was world-readable, and its parent
> directory was world-readable, exposing the cookies emacs held to the
> outside world, which allows for a session hijacking attack.

I can fix this. Should ~/.url be private, or just certain files within
it (cookies, history, what else)?

Re: [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking]

[Daniel Kahn Gillmor]

[-- Attachment #1.1: Type: text/plain, Size: 683 bytes --]

On Sat 2007-12-08 20:38:09 -0500, Glenn Morris wrote:

> dkg wrote:
>
>> I just noticed that ~/.url/cookies was world-readable, and its parent
>> directory was world-readable, exposing the cookies emacs held to the
>> outside world, which allows for a session hijacking attack.
>
> I can fix this. Should ~/.url be private, or just certain files within
> it (cookies, history, what else)?

i would suspect that history should also be private -- URLs visited
often hold information that you might not want others to see.  i'm not
sure what else gets placed in that directory, so i don't know if the
directory itself should be mode 0700 or not.

Thanks for the followup,

       --dkg

[-- Attachment #1.2: Type: application/pgp-signature, Size: 826 bytes --]

[-- Attachment #2: Type: text/plain, Size: 142 bytes --]

_______________________________________________
Emacs-devel mailing list
Emacs-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-devel