From: Richard Stallman <rms@gnu.org>
To: emacs-devel@gnu.org
Subject: [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking]
Date: Mon, 03 Dec 2007 13:43:23 -0500 [thread overview]
Message-ID: <E1IzGGJ-0006Uw-87@fencepost.gnu.org> (raw)
Can someone please DTRT in Emacs 22, then ack?
------- Start of forwarded message -------
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
autolearn=failed version=3.1.0
To: bug-gnu-emacs@gnu.org
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 02 Dec 2007 13:58:38 -0500
Message-ID: <87tzn0vs81.fsf@squeak.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
Subject: security: url-cookies file stored world-readable,
allowing session hijacking
- --=-=-=
Content-Transfer-Encoding: quoted-printable
I just noticed that ~/.url/cookies was world-readable, and its parent
directory was world-readable, exposing the cookies emacs held to the
outside world, which allows for a session hijacking attack.
To replicate (i'm sure there are other ways) i did:
From=20a clean test account (no ~/.emacs file, no ~/.emacs.d directory,
and no ~/.url directory), launch gnus (M-x gnus). Then "G m" to make
a new group named "test.cookies" with backend "nnrss". I then visited
the group, and gave it the URL of an RSS feed i publish which offers
cookies [0].
I then switched to the *scratch* buffer, and evaluated:
(url-cookie-write-file)
t
As a result, the following directory and file were created:
0 xxx@monkey:~$ ls -la ~/.url
total 12
drwxr-xr-x 2 xxx xxx 4096 2007-12-02 13:49 .
drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 ..
=2Drw-r--r-- 1 xxx xxx 372 2007-12-02 13:49 cookies
0 xxx@monkey:~$=20
Since that cookies file is world-readable (and the directory that it's
in is world-readable), someone could potentially hijack any session
maintained by my emacs instance. It appears to also work on cookies
sent from secure sites. This is a security flaw, and should be fixed.
I'm sorry that i don't know elisp well enough to offer a patch to
/usr/share/emacs/22.1/lisp/url/url-cookie.el.gz
but i suspect that's where it needs to be fixed (at least that appears
to be the suspect file on a debian system).
Thanks for developing and maintaining emacs!
Regards,
--dkg
PS i'm not on this list at the moment, so Cc'ing responses to me would
be appreciated.
In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
of 2007-11-09 on security.skolelinux.no, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10300000
configured using `configure '--build=3Di486-linux-gnu' '--host=3Di486-linu=
x-gnu' '--prefix=3D/usr' '--sharedstatedir=3D/var/lib' '--libexecdir=3D/usr=
/lib' '--localstatedir=3D/var/lib' '--infodir=3D/usr/share/info' '--mandir=
=3D/usr/share/man' '--with-pop=3Dyes' '--enable-locallisppath=3D/etc/emacs2=
2:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/s=
ite-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/sh=
are/emacs/22.1/leim' '--with-x=3Dyes' '--with-x-toolkit=3Dathena' '--with-t=
oolkit-scroll-bars' 'build_alias=3Di486-linux-gnu' 'host_alias=3Di486-linux=
- -gnu' 'CFLAGS=3D-DDEBIAN -g -O2''
[0] http://cmrg.fifthhorseman.net/timeline?ticket=3Don&ticket_details=3Don&=
changeset=3Don&wiki=3Don&max=3D50&daysback=3D90&format=3Drss
- --=-=-=
Content-Type: application/pgp-signature
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQIVAwUBR1MAZczS7ZTSFznpAQKUhA/+OOg+wf8TMsoSaB6Lpg+YrFteY9F5WSyo
zy0RiR/7MwgJmmMYtB0CovpXyBoq4EGoPGayJEWsSEiPh2RB4RrVNfuZz5tQ5Hzp
MPKQKkdHht3HbE1VhZItgR4PLUEa6ZFjZSKnaiqMUj5WEF3VmS7G9DGPaAM3LSPE
+EV8Lg4cJN74EcqDYQ3PyOu73yzZin26/z694S7amHVbTcvcTgftsuotioWs8Pcz
gEPKt+lxUPw7N6K1HcBE9hKBtgndNxBfHAN/4IwyijhELRb7uanb3c0DZ0meGK8f
d1+YQKd5LieXJ6uQpHrBTqMoGzDElBrqgW7PLmTIOS9ImRlsm4ARlLnRdvW7Zj2i
pWMlby4GeGSoYkLKfSCQ40C+vkedMm+JJQsKrkLULD51uq9jgsJp7tFfbhiwBHVu
K2PdhSbZ0Pl/aC9H/4DhSIU9PP4+TwNrE2ufI2z/i+kFCxlZIbNVgVS6bKFwBU0T
MQjsJauIHStqNfTiVdCUFdb6sdnloo89v0OxLMqDUzYFWbgd2zo4biy8npS0xMj3
LeztZzMCCOvA+H5jVN6FLn4B3ic6eahL2/N3TBSy50H1l/B8jlhg1fiNq9ShcCqd
z0Od87CPuyOrO41ypYXdn9TTEBD/83m8V55VT+Tq/bXKoEOwlBkTFC1+0jmH/+sy
x/+GF7p65cg=
=IUb/
- -----END PGP SIGNATURE-----
- --=-=-=--
------- End of forwarded message -------
next reply other threads:[~2007-12-03 18:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-03 18:43 Richard Stallman [this message]
2007-12-09 1:38 ` [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking] Glenn Morris
2007-12-10 6:19 ` Daniel Kahn Gillmor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1IzGGJ-0006Uw-87@fencepost.gnu.org \
--to=rms@gnu.org \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.