From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Daniel Kahn Gillmor Newsgroups: gmane.emacs.bugs Subject: security: url-cookies file stored world-readable, allowing session hijacking Date: Sun, 02 Dec 2007 13:58:38 -0500 Message-ID: <87tzn0vs81.fsf@squeak.fifthhorseman.net> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Trace: ger.gmane.org 1196631453 16278 80.91.229.12 (2 Dec 2007 21:37:33 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 2 Dec 2007 21:37:33 +0000 (UTC) To: bug-gnu-emacs@gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Dec 02 22:37:41 2007 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1IywVK-0004cw-KZ for geb-bug-gnu-emacs@m.gmane.org; Sun, 02 Dec 2007 22:37:37 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IywV2-0000ag-6W for geb-bug-gnu-emacs@m.gmane.org; Sun, 02 Dec 2007 16:37:16 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Iyu1h-0000bl-Lc for bug-gnu-emacs@gnu.org; Sun, 02 Dec 2007 13:58:49 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Iyu1h-0000bS-6v for bug-gnu-emacs@gnu.org; Sun, 02 Dec 2007 13:58:49 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Iyu1g-0000aw-RL for bug-gnu-emacs@gnu.org; Sun, 02 Dec 2007 13:58:49 -0500 Original-Received: from relay01.pair.com ([209.68.5.15]) by monty-python.gnu.org with smtp (Exim 4.60) (envelope-from ) id 1Iyu1f-0006zY-Pe for bug-gnu-emacs@gnu.org; Sun, 02 Dec 2007 13:58:48 -0500 Original-Received: (qmail 95081 invoked from network); 2 Dec 2007 18:58:45 -0000 Original-Received: from unknown (HELO fifthhorseman.net) (unknown) by unknown with SMTP; 2 Dec 2007 18:58:45 -0000 X-pair-Authenticated: 216.254.116.241 Original-Received: (nullmailer pid 22287 invoked by uid 1000); Sun, 02 Dec 2007 18:58:46 -0000 User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) X-detected-kernel: by monty-python.gnu.org: Genre and OS details not recognized. X-Mailman-Approved-At: Sun, 02 Dec 2007 16:36:48 -0500 X-BeenThere: bug-gnu-emacs@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:17112 Archived-At: --=-=-= Content-Transfer-Encoding: quoted-printable I just noticed that ~/.url/cookies was world-readable, and its parent directory was world-readable, exposing the cookies emacs held to the outside world, which allows for a session hijacking attack. To replicate (i'm sure there are other ways) i did: From=20a clean test account (no ~/.emacs file, no ~/.emacs.d directory, and no ~/.url directory), launch gnus (M-x gnus). Then "G m" to make a new group named "test.cookies" with backend "nnrss". I then visited the group, and gave it the URL of an RSS feed i publish which offers cookies [0]. I then switched to the *scratch* buffer, and evaluated: (url-cookie-write-file) t As a result, the following directory and file were created: 0 xxx@monkey:~$ ls -la ~/.url total 12 drwxr-xr-x 2 xxx xxx 4096 2007-12-02 13:49 . drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 .. =2Drw-r--r-- 1 xxx xxx 372 2007-12-02 13:49 cookies 0 xxx@monkey:~$=20 Since that cookies file is world-readable (and the directory that it's in is world-readable), someone could potentially hijack any session maintained by my emacs instance. It appears to also work on cookies sent from secure sites. This is a security flaw, and should be fixed. I'm sorry that i don't know elisp well enough to offer a patch to /usr/share/emacs/22.1/lisp/url/url-cookie.el.gz but i suspect that's where it needs to be fixed (at least that appears to be the suspect file on a debian system). Thanks for developing and maintaining emacs! Regards, --dkg PS i'm not on this list at the moment, so Cc'ing responses to me would be appreciated. In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars) of 2007-11-09 on security.skolelinux.no, modified by Debian Windowing system distributor `The X.Org Foundation', version 11.0.10300000 configured using `configure '--build=3Di486-linux-gnu' '--host=3Di486-linu= x-gnu' '--prefix=3D/usr' '--sharedstatedir=3D/var/lib' '--libexecdir=3D/usr= /lib' '--localstatedir=3D/var/lib' '--infodir=3D/usr/share/info' '--mandir= =3D/usr/share/man' '--with-pop=3Dyes' '--enable-locallisppath=3D/etc/emacs2= 2:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/s= ite-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/sh= are/emacs/22.1/leim' '--with-x=3Dyes' '--with-x-toolkit=3Dathena' '--with-t= oolkit-scroll-bars' 'build_alias=3Di486-linux-gnu' 'host_alias=3Di486-linux= -gnu' 'CFLAGS=3D-DDEBIAN -g -O2'' [0] http://cmrg.fifthhorseman.net/timeline?ticket=3Don&ticket_details=3Don&= changeset=3Don&wiki=3Don&max=3D50&daysback=3D90&format=3Drss --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQIVAwUBR1MAZczS7ZTSFznpAQKUhA/+OOg+wf8TMsoSaB6Lpg+YrFteY9F5WSyo zy0RiR/7MwgJmmMYtB0CovpXyBoq4EGoPGayJEWsSEiPh2RB4RrVNfuZz5tQ5Hzp MPKQKkdHht3HbE1VhZItgR4PLUEa6ZFjZSKnaiqMUj5WEF3VmS7G9DGPaAM3LSPE +EV8Lg4cJN74EcqDYQ3PyOu73yzZin26/z694S7amHVbTcvcTgftsuotioWs8Pcz gEPKt+lxUPw7N6K1HcBE9hKBtgndNxBfHAN/4IwyijhELRb7uanb3c0DZ0meGK8f d1+YQKd5LieXJ6uQpHrBTqMoGzDElBrqgW7PLmTIOS9ImRlsm4ARlLnRdvW7Zj2i pWMlby4GeGSoYkLKfSCQ40C+vkedMm+JJQsKrkLULD51uq9jgsJp7tFfbhiwBHVu K2PdhSbZ0Pl/aC9H/4DhSIU9PP4+TwNrE2ufI2z/i+kFCxlZIbNVgVS6bKFwBU0T MQjsJauIHStqNfTiVdCUFdb6sdnloo89v0OxLMqDUzYFWbgd2zo4biy8npS0xMj3 LeztZzMCCOvA+H5jVN6FLn4B3ic6eahL2/N3TBSy50H1l/B8jlhg1fiNq9ShcCqd z0Od87CPuyOrO41ypYXdn9TTEBD/83m8V55VT+Tq/bXKoEOwlBkTFC1+0jmH/+sy x/+GF7p65cg= =IUb/ -----END PGP SIGNATURE----- --=-=-=--