* [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking]
@ 2007-12-03 18:43 Richard Stallman
2007-12-09 1:38 ` Glenn Morris
0 siblings, 1 reply; 3+ messages in thread
From: Richard Stallman @ 2007-12-03 18:43 UTC (permalink / raw)
To: emacs-devel
Can someone please DTRT in Emacs 22, then ack?
------- Start of forwarded message -------
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
autolearn=failed version=3.1.0
To: bug-gnu-emacs@gnu.org
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 02 Dec 2007 13:58:38 -0500
Message-ID: <87tzn0vs81.fsf@squeak.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
Subject: security: url-cookies file stored world-readable,
allowing session hijacking
- --=-=-=
Content-Transfer-Encoding: quoted-printable
I just noticed that ~/.url/cookies was world-readable, and its parent
directory was world-readable, exposing the cookies emacs held to the
outside world, which allows for a session hijacking attack.
To replicate (i'm sure there are other ways) i did:
From=20a clean test account (no ~/.emacs file, no ~/.emacs.d directory,
and no ~/.url directory), launch gnus (M-x gnus). Then "G m" to make
a new group named "test.cookies" with backend "nnrss". I then visited
the group, and gave it the URL of an RSS feed i publish which offers
cookies [0].
I then switched to the *scratch* buffer, and evaluated:
(url-cookie-write-file)
t
As a result, the following directory and file were created:
0 xxx@monkey:~$ ls -la ~/.url
total 12
drwxr-xr-x 2 xxx xxx 4096 2007-12-02 13:49 .
drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 ..
=2Drw-r--r-- 1 xxx xxx 372 2007-12-02 13:49 cookies
0 xxx@monkey:~$=20
Since that cookies file is world-readable (and the directory that it's
in is world-readable), someone could potentially hijack any session
maintained by my emacs instance. It appears to also work on cookies
sent from secure sites. This is a security flaw, and should be fixed.
I'm sorry that i don't know elisp well enough to offer a patch to
/usr/share/emacs/22.1/lisp/url/url-cookie.el.gz
but i suspect that's where it needs to be fixed (at least that appears
to be the suspect file on a debian system).
Thanks for developing and maintaining emacs!
Regards,
--dkg
PS i'm not on this list at the moment, so Cc'ing responses to me would
be appreciated.
In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
of 2007-11-09 on security.skolelinux.no, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10300000
configured using `configure '--build=3Di486-linux-gnu' '--host=3Di486-linu=
x-gnu' '--prefix=3D/usr' '--sharedstatedir=3D/var/lib' '--libexecdir=3D/usr=
/lib' '--localstatedir=3D/var/lib' '--infodir=3D/usr/share/info' '--mandir=
=3D/usr/share/man' '--with-pop=3Dyes' '--enable-locallisppath=3D/etc/emacs2=
2:/etc/emacs:/usr/local/share/emacs/22.1/site-lisp:/usr/local/share/emacs/s=
ite-lisp:/usr/share/emacs/22.1/site-lisp:/usr/share/emacs/site-lisp:/usr/sh=
are/emacs/22.1/leim' '--with-x=3Dyes' '--with-x-toolkit=3Dathena' '--with-t=
oolkit-scroll-bars' 'build_alias=3Di486-linux-gnu' 'host_alias=3Di486-linux=
- -gnu' 'CFLAGS=3D-DDEBIAN -g -O2''
[0] http://cmrg.fifthhorseman.net/timeline?ticket=3Don&ticket_details=3Don&=
changeset=3Don&wiki=3Don&max=3D50&daysback=3D90&format=3Drss
- --=-=-=
Content-Type: application/pgp-signature
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQIVAwUBR1MAZczS7ZTSFznpAQKUhA/+OOg+wf8TMsoSaB6Lpg+YrFteY9F5WSyo
zy0RiR/7MwgJmmMYtB0CovpXyBoq4EGoPGayJEWsSEiPh2RB4RrVNfuZz5tQ5Hzp
MPKQKkdHht3HbE1VhZItgR4PLUEa6ZFjZSKnaiqMUj5WEF3VmS7G9DGPaAM3LSPE
+EV8Lg4cJN74EcqDYQ3PyOu73yzZin26/z694S7amHVbTcvcTgftsuotioWs8Pcz
gEPKt+lxUPw7N6K1HcBE9hKBtgndNxBfHAN/4IwyijhELRb7uanb3c0DZ0meGK8f
d1+YQKd5LieXJ6uQpHrBTqMoGzDElBrqgW7PLmTIOS9ImRlsm4ARlLnRdvW7Zj2i
pWMlby4GeGSoYkLKfSCQ40C+vkedMm+JJQsKrkLULD51uq9jgsJp7tFfbhiwBHVu
K2PdhSbZ0Pl/aC9H/4DhSIU9PP4+TwNrE2ufI2z/i+kFCxlZIbNVgVS6bKFwBU0T
MQjsJauIHStqNfTiVdCUFdb6sdnloo89v0OxLMqDUzYFWbgd2zo4biy8npS0xMj3
LeztZzMCCOvA+H5jVN6FLn4B3ic6eahL2/N3TBSy50H1l/B8jlhg1fiNq9ShcCqd
z0Od87CPuyOrO41ypYXdn9TTEBD/83m8V55VT+Tq/bXKoEOwlBkTFC1+0jmH/+sy
x/+GF7p65cg=
=IUb/
- -----END PGP SIGNATURE-----
- --=-=-=--
------- End of forwarded message -------
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking]
2007-12-03 18:43 [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking] Richard Stallman
@ 2007-12-09 1:38 ` Glenn Morris
2007-12-10 6:19 ` Daniel Kahn Gillmor
0 siblings, 1 reply; 3+ messages in thread
From: Glenn Morris @ 2007-12-09 1:38 UTC (permalink / raw)
To: dkg; +Cc: rms, emacs-devel
> I just noticed that ~/.url/cookies was world-readable, and its parent
> directory was world-readable, exposing the cookies emacs held to the
> outside world, which allows for a session hijacking attack.
I can fix this. Should ~/.url be private, or just certain files within
it (cookies, history, what else)?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking]
2007-12-09 1:38 ` Glenn Morris
@ 2007-12-10 6:19 ` Daniel Kahn Gillmor
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Kahn Gillmor @ 2007-12-10 6:19 UTC (permalink / raw)
To: Glenn Morris; +Cc: rms, dkg, emacs-devel
[-- Attachment #1.1: Type: text/plain, Size: 683 bytes --]
On Sat 2007-12-08 20:38:09 -0500, Glenn Morris wrote:
> dkg wrote:
>
>> I just noticed that ~/.url/cookies was world-readable, and its parent
>> directory was world-readable, exposing the cookies emacs held to the
>> outside world, which allows for a session hijacking attack.
>
> I can fix this. Should ~/.url be private, or just certain files within
> it (cookies, history, what else)?
i would suspect that history should also be private -- URLs visited
often hold information that you might not want others to see. i'm not
sure what else gets placed in that directory, so i don't know if the
directory itself should be mode 0700 or not.
Thanks for the followup,
--dkg
[-- Attachment #1.2: Type: application/pgp-signature, Size: 826 bytes --]
[-- Attachment #2: Type: text/plain, Size: 142 bytes --]
_______________________________________________
Emacs-devel mailing list
Emacs-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-12-10 6:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-03 18:43 [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking] Richard Stallman
2007-12-09 1:38 ` Glenn Morris
2007-12-10 6:19 ` Daniel Kahn Gillmor
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.