From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking] Date: Mon, 03 Dec 2007 13:43:23 -0500 Message-ID: Reply-To: rms@gnu.org NNTP-Posting-Host: lo.gmane.org Content-Type: text/plain; charset=ISO-8859-15 X-Trace: ger.gmane.org 1196707682 11237 80.91.229.12 (3 Dec 2007 18:48:02 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 3 Dec 2007 18:48:02 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Dec 03 19:48:10 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1IzGKv-0002C9-1m for ged-emacs-devel@m.gmane.org; Mon, 03 Dec 2007 19:48:09 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IzGKe-0001lS-GZ for ged-emacs-devel@m.gmane.org; Mon, 03 Dec 2007 13:47:52 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1IzGGL-0006j0-7Y for emacs-devel@gnu.org; Mon, 03 Dec 2007 13:43:25 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1IzGGK-0006ig-Kl for emacs-devel@gnu.org; Mon, 03 Dec 2007 13:43:24 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IzGGK-0006iT-8d for emacs-devel@gnu.org; Mon, 03 Dec 2007 13:43:24 -0500 Original-Received: from fencepost.gnu.org ([140.186.70.10]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1IzGGJ-0002q0-Gt for emacs-devel@gnu.org; Mon, 03 Dec 2007 13:43:23 -0500 Original-Received: from rms by fencepost.gnu.org with local (Exim 4.60) (envelope-from ) id 1IzGGJ-0006Uw-87; Mon, 03 Dec 2007 13:43:23 -0500 X-detected-kernel: by monty-python.gnu.org: Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:84585 Archived-At: Can someone please DTRT in Emacs 22, then ack? ------- Start of forwarded message ------- X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=failed version=3.1.0 To: bug-gnu-emacs@gnu.org From: Daniel Kahn Gillmor Date: Sun, 02 Dec 2007 13:58:38 -0500 Message-ID: <87tzn0vs81.fsf@squeak.fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Subject: security: url-cookies file stored world-readable, allowing session hijacking - --=-=-= Content-Transfer-Encoding: quoted-printable I just noticed that ~/.url/cookies was world-readable, and its parent directory was world-readable, exposing the cookies emacs held to the outside world, which allows for a session hijacking attack. To replicate (i'm sure there are other ways) i did: From=20a clean test account (no ~/.emacs file, no ~/.emacs.d directory, and no ~/.url directory), launch gnus (M-x gnus). Then "G m" to make a new group named "test.cookies" with backend "nnrss". I then visited the group, and gave it the URL of an RSS feed i publish which offers cookies [0]. I then switched to the *scratch* buffer, and evaluated: (url-cookie-write-file) t As a result, the following directory and file were created: 0 xxx@monkey:~$ ls -la ~/.url total 12 drwxr-xr-x 2 xxx xxx 4096 2007-12-02 13:49 . drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 .. =2Drw-r--r-- 1 xxx xxx 372 2007-12-02 13:49 cookies 0 xxx@monkey:~$=20 Since that cookies file is world-readable (and the directory that it's in is world-readable), someone could potentially hijack any session maintained by my emacs instance. It appears to also work on cookies sent from secure sites. This is a security flaw, and should be fixed. I'm sorry that i don't know elisp well enough to offer a patch to /usr/share/emacs/22.1/lisp/url/url-cookie.el.gz but i suspect that's where it needs to be fixed (at least that appears to be the suspect file on a debian system). Thanks for developing and maintaining emacs! Regards, --dkg PS i'm not on this list at the moment, so Cc'ing responses to me would be appreciated. In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars) of 2007-11-09 on security.skolelinux.no, modified by Debian Windowing system distributor `The X.Org Foundation', version 11.0.10300000 configured using `configure '--build=3Di486-linux-gnu' '--host=3Di486-linu= x-gnu' '--prefix=3D/usr' '--sharedstatedir=3D/var/lib' '--libexecdir=3D/usr= /lib' '--localstatedir=3D/var/lib' '--infodir=3D/usr/share/info' '--mandir= =3D/usr/share/man' '--with-pop=3Dyes' '--enable-locallisppath=3D/etc/emacs2= 2:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/s= ite-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/sh= are/emacs/22.1/leim' '--with-x=3Dyes' '--with-x-toolkit=3Dathena' '--with-t= oolkit-scroll-bars' 'build_alias=3Di486-linux-gnu' 'host_alias=3Di486-linux= - -gnu' 'CFLAGS=3D-DDEBIAN -g -O2'' [0] http://cmrg.fifthhorseman.net/timeline?ticket=3Don&ticket_details=3Don&= changeset=3Don&wiki=3Don&max=3D50&daysback=3D90&format=3Drss - --=-=-= Content-Type: application/pgp-signature - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQIVAwUBR1MAZczS7ZTSFznpAQKUhA/+OOg+wf8TMsoSaB6Lpg+YrFteY9F5WSyo zy0RiR/7MwgJmmMYtB0CovpXyBoq4EGoPGayJEWsSEiPh2RB4RrVNfuZz5tQ5Hzp MPKQKkdHht3HbE1VhZItgR4PLUEa6ZFjZSKnaiqMUj5WEF3VmS7G9DGPaAM3LSPE +EV8Lg4cJN74EcqDYQ3PyOu73yzZin26/z694S7amHVbTcvcTgftsuotioWs8Pcz gEPKt+lxUPw7N6K1HcBE9hKBtgndNxBfHAN/4IwyijhELRb7uanb3c0DZ0meGK8f d1+YQKd5LieXJ6uQpHrBTqMoGzDElBrqgW7PLmTIOS9ImRlsm4ARlLnRdvW7Zj2i pWMlby4GeGSoYkLKfSCQ40C+vkedMm+JJQsKrkLULD51uq9jgsJp7tFfbhiwBHVu K2PdhSbZ0Pl/aC9H/4DhSIU9PP4+TwNrE2ufI2z/i+kFCxlZIbNVgVS6bKFwBU0T MQjsJauIHStqNfTiVdCUFdb6sdnloo89v0OxLMqDUzYFWbgd2zo4biy8npS0xMj3 LeztZzMCCOvA+H5jVN6FLn4B3ic6eahL2/N3TBSy50H1l/B8jlhg1fiNq9ShcCqd z0Od87CPuyOrO41ypYXdn9TTEBD/83m8V55VT+Tq/bXKoEOwlBkTFC1+0jmH/+sy x/+GF7p65cg= =IUb/ - -----END PGP SIGNATURE----- - --=-=-=-- ------- End of forwarded message -------