Matt Zimmerman wrote:
>>The default value for 'tmpdir' parameter is /tmp, so any user can
>>know the name of the file created by CGI::Session::FileStore.
>>The filename contains the session id, so this can lead an attacker
>>who has also shell access to the webserver to take over a session.
>
>
> The file is created world-readable? If so, that is the bug; using /tmp is
> not a bug in itself.
No. The session id is contained in the *filename*, so the
read-permission of the file itself is not necessary to take over a
session.
Any user can get the session id by `ls /tmp'.
The bug is already fixed in the CVS HEAD (The default value of 'tmpdir'
is still /tmp, but the filename doesn't contain session id itself).
Hi,
Matt Zimmerman wrote: :FileStore.
>>The default value for 'tmpdir' parameter is /tmp, so any user can
>>know the name of the file created by CGI::Session:
>>The filename contains the session id, so this can lead an attacker
>>who has also shell access to the webserver to take over a session.
>
>
> The file is created world-readable? If so, that is the bug; using /tmp is
> not a bug in itself.
No. The session id is contained in the *filename*, so the
read-permission of the file itself is not necessary to take over a
session.
Any user can get the session id by `ls /tmp'.
The bug is already fixed in the CVS HEAD (The default value of 'tmpdir'
is still /tmp, but the filename doesn't contain session id itself).
Shugo