I just noticed that CGI::Session's FileStore (and presumably PStore)
implementations store session information insecurely. They simply
create files, ignoring permission issues. I assume the only thing
affecting permissions is the value of umask. For both my user, as
well as www-data, session files end up in /tmp with permission
0644. This is quite bad; an unsuspecting user might be storing
sensitive information in session variables, assuming that the class
stores data securely.
Package: libruby1.8
Version: 1.8.1+1.8.2pre1-3
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
I just noticed that CGI::Session's FileStore (and presumably PStore)
implementations store session information insecurely. They simply
create files, ignoring permission issues. I assume the only thing
affecting permissions is the value of umask. For both my user, as
well as www-data, session files end up in /tmp with permission
0644. This is quite bad; an unsuspecting user might be storing
sensitive information in session variables, assuming that the class
stores data securely.
The following script illustrates the problem:
#!/usr/bin/ruby -w
require 'cgi'
require 'cgi/session'
cgi = CGI.new('html4') new(cgi, 'prefix' => 'blah_') "/tmp/blah_ *").join( " "))
session = CGI::Session.
Kernel.system("ls -l " + Dir.glob(
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-k7
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages libruby1.8 depends on:
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
-- no debconf information