lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 13 Sep 2004 21:12:16 +0200
From: Max <spamhole@....at>
To: bugtraq@...urityfocus.com
Subject: Insecure file permissions in the Firefox browser for Linux >= v0.9



after installing firefox many of the permissions are set to 777, allowing 
anyone on the system to change the contents of the (executable) files.

this first occured in the 0.9 release (in the tar.gz release as well as in the 
installer). the problem (or is it called a feature now?) still exists in the 
latest release v0.9.3.

the problem was reported on bugzilla long long time ago by myself and others.

lunanova:/tmp# tar xzf firefox-0.9.3-i686-linux-gtk2+xft-installer.tar.gz
lunanova:/tmp# cd firefox-installer/
lunanova:/tmp/firefox-installer# ./firefox-installer
# ... installing to /tmp/firefox-0.9.3
lunanova:/tmp/firefox-installer# exit
max@...anova:~$ cd /tmp/firefox-0.9.3
max@...anova:/tmp/firefox-0.9.3$ echo 'echo "oops"' > run-mozilla.sh
max@...anova:/tmp/firefox-0.9.3$ ./firefox
oops
max@...anova:/tmp/firefox-0.9.3$ ls -l
total 12676
drwxr-xr-x  4 root root    4096 Sep 13 21:02 chrome
drwxr-xr-x  3 root root    4096 Sep 13 21:02 components
drwxr-xr-x  5 root root    4096 Sep 13 21:02 defaults
drwxr-xr-x  2 root root    4096 Sep 13 21:02 extensions
-rwxr-xr-x  1 root root    4775 Aug  3 14:14 firefox
-rwxr-xr-x  1 root root 9758932 Aug  3 14:14 firefox-bin
drwxr-xr-x  2 root root    4096 Sep 13 21:02 greprefs
-rw-r--r--  1 root root   29364 Sep 13 21:02 install.log
-rwxrwxrwx  1 root root  441204 Aug  3 14:14 libmozjs.so
-rwxrwxrwx  1 root root  177164 Aug  3 14:14 libnspr4.so
-rwxrwxrwx  1 root root  405372 Aug  3 14:14 libnss3.so
-rwxrwxrwx  1 root root  170068 Aug  3 14:14 libnssckbi.so
-rwxrwxrwx  1 root root   15272 Aug  3 14:14 libplc4.so
-rwxrwxrwx  1 root root    8240 Aug  3 14:14 libplds4.so
-rwxrwxrwx  1 root root  134188 Aug  3 14:14 libsmime3.so
-rw-rw-rw-  1 root root     476 Aug  3 14:14 libsoftokn3.chk
-rwxrwxrwx  1 root root  419824 Aug  3 14:14 libsoftokn3.so
-rwxrwxrwx  1 root root  125376 Aug  3 14:14 libssl3.so
-rwxrwxrwx  1 root root  661232 Aug  3 14:14 libxpcom.so
-rwxrwxrwx  1 root root   94888 Aug  3 14:14 libxpcom_compat.so
-rwxrwxrwx  1 root root    7736 Aug  3 14:14 libxpistub.so
-rwxrwxrwx  1 root root  236615 Aug  3 14:14 mozilla-xremote-client
drwxr-xr-x  2 root root    4096 Sep 13 21:02 plugins
-rw-r--r--  1 root root     335 Sep 13 21:02 registry
drwxr-xr-x  7 root root    4096 Sep 13 21:02 res
-rwxrwxrwx  1 root root      12 Sep 13 21:03 run-mozilla.sh
drwxr-xr-x  2 root root    4096 Sep 13 21:02 searchplugins
-rwxrwxrwx  1 root root  147500 Aug  3 14:14 xpicleanup
.. subdirs dont look much better.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ