lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040910152759.7739.qmail@www.securityfocus.com>
Date: 10 Sep 2004 15:27:59 -0000
From: "Jérôme" ATHIAS <jerome.athias@...amail.com>
To: bugtraq@...urityfocus.com
Subject: OpenOffice World-Readable Temporary Files Disclose Files to Local
    Users




OpenOffice World-Readable Temporary Files Disclose Files to Local Users

Date:  Thu, 9 Sep 2004 23:52:18 -0400
Subject:  http://www.openoffice.org/issues/show_bug.cgi?id=33357
 


 
 
Reporter: pmladek
OS:  Linux
Version:  OOo 1.1.2
Summary:  Insecure permissions on temporary files at runtime
 
When OOo is started, a directory /tmp/sv<RAND>.tmp is created, where
RAND is a 3 character random string. 
 
The permissions of this directory allow other users (depending on the user's
umask) to 'cd' to this directory and list the contents.
 
Once a file is saved, a zipped file is created in /tmp/sv<RAND>.tmp and the
name of the file follows the same convention. The permissions of the file
allow others (depending on the user's umask) to read the content.
 
Due to this any user can grab sensitive information of someother user.
 
Steps to reproduce the problem:
1. Launch OpenOffice.
2. List /tmp contents. Locate the directory 'sv*.tmp'
3. Type in some contents in the document and save it.
4. List the contents of the directory /tmp/sv*.tmp/
5. Do not close OpenOffice. 'su' to a different user.
6. Copy the file under /tmp/sv*.tmp/ to home directory.
7. Use 'unzip' to unzip the files.
8. The file content.xml holds the data the user had just saved.
 
The workaround is to set more secure umask. The problem is that the users does
not know about it. Why should they need to set more strict umask if they save
its data in a directory which has the correct permissions. They do not expect
that there are any world-readable temporary data available somewhere on the system.

 
Also reported here http://securitytracker.com/id?1011205 

Regards,
Jérôme ATHIAS


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ