SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Ruby Vendors:   Matsumoto, Yukihiro
Ruby Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1010955
SecurityTracker URL:  http://securitytracker.com/id/1010955
CVE Reference:   CAN-2004-0755   (Links to External Site)
Date:  Aug 16 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.8.1 and prior versions
Description:   A vulnerability was reported in Ruby in the processing of temporary files. A local user may be able to gain elevated privileges.

Andres Salomon reported that CGI::Session stores FileStore session data in an unsafe manner. Files are created in the 'tmp' directory without the proper permissions. As a result, a local user may be able to access the files and take over a target user's session.
Impact:   A local user may be able to hijack a target user's session.
Solution:   The vendor has issued a fix, available via CVS.
Vendor URL:  www.ruby-lang.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 16 2004 (Debian Issues Fix) Ruby Unsafe Temporary Files May Let Local Users Gain Elevated Privileges   (joey@infodrom.org (Martin Schulze))
Debian has released a fix.
Sep 30 2004 (Red Hat Issues Fix for RHEL) Ruby Unsafe Temporary Files May Let Local Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Oct 15 2004 (Fedora Issues Fix for FC2) Ruby Unsafe Temporary Files May Let Local Users Gain Elevated Privileges   (Akira TAGOH <tagoh@redhat.com>)
Fedora has released a fix for Fedora Core 2.
Nov 8 2004 (Mandrake Issues Fix) Ruby Unsafe Temporary Files May Let Local Users Gain Elevated Privileges   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Nov 12 2004 (Fedora Issues Fix for FC3) Ruby Unsafe Temporary Files May Let Local Users Gain Elevated Privileges   (Akira TAGOH <tagoh@redhat.com>)
Fedora has released a fix for Fedora Core 3.


 Source Message Contents
Date:  Thu, 22 Jul 2004 03:14:19 -0400
Subject:  libruby1.8: CGI::Session creates files insecurely


Package: libruby1.8
Version: 1.8.1+1.8.2pre1-3
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

I just noticed that CGI::Session's FileStore (and presumably PStore)
implementations store session information insecurely.  They simply
create files, ignoring permission issues.  I assume the only thing
affecting permissions is the value of umask.  For both my user, as
well as www-data, session files end up in /tmp with permission
0644.  This is quite bad; an unsuspecting user might be storing
sensitive information in session variables, assuming that the class
stores data securely.

The following script illustrates the problem:

#!/usr/bin/ruby -w

require 'cgi'
require 'cgi/session'

cgi = CGI.new('html4')
session = CGI::Session.new(cgi, 'prefix' => 'blah_')
Kernel.system("ls -l " + Dir.glob("/tmp/blah_*").join(" "))




-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-k7
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages libruby1.8 depends on:
ii  libc6                       2.3.2.ds1-13 GNU C Library: Shared libraries an

-- no debconf information


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC