[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
security: url-cookies file stored world-readable, allowing session hijac
Daniel Kahn Gillmor
security: url-cookies file stored world-readable, allowing session hijacking
Sun, 02 Dec 2007 13:58:38 -0500
Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)
I just noticed that ~/.url/cookies was world-readable, and its parent
directory was world-readable, exposing the cookies emacs held to the
outside world, which allows for a session hijacking attack.
To replicate (i'm sure there are other ways) i did:
From a clean test account (no ~/.emacs file, no ~/.emacs.d directory,
and no ~/.url directory), launch gnus (M-x gnus). Then "G m" to make
a new group named "test.cookies" with backend "nnrss". I then visited
the group, and gave it the URL of an RSS feed i publish which offers
I then switched to the *scratch* buffer, and evaluated:
As a result, the following directory and file were created:
0 xxx@monkey:~$ ls -la ~/.url
drwxr-xr-x 2 xxx xxx 4096 2007-12-02 13:49 .
drwxr-xr-x 53 xxx xxx 4096 2007-12-02 13:49 ..
-rw-r--r-- 1 xxx xxx 372 2007-12-02 13:49 cookies
Since that cookies file is world-readable (and the directory that it's
in is world-readable), someone could potentially hijack any session
maintained by my emacs instance. It appears to also work on cookies
sent from secure sites. This is a security flaw, and should be fixed.
I'm sorry that i don't know elisp well enough to offer a patch to
but i suspect that's where it needs to be fixed (at least that appears
to be the suspect file on a debian system).
Thanks for developing and maintaining emacs!
PS i'm not on this list at the moment, so Cc'ing responses to me would
In GNU Emacs 22.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
of 2007-11-09 on security.skolelinux.no, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10300000
configured using `configure '--build=i486-linux-gnu' '--host=i486-linux-gnu'
'--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib'
'--with-x=yes' '--with-x-toolkit=athena' '--with-toolkit-scroll-bars'
'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -g
Description: PGP signature
|[Prev in Thread]
||[Next in Thread]|
- security: url-cookies file stored world-readable, allowing session hijacking,
Daniel Kahn Gillmor <=