Bugtraq mailing list archives
Re: [hacksware]Pine temporary file hijacking vulnerability
From: "Ryan W. Maple" <ryan () GUARDIANDIGITAL COM>
Date: Tue, 12 Dec 2000 21:30:41 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I do not really think the problem is this. /tmp is there for a reason, and I don't really find any fault in vendors/developers for using it accordingly. I think the real problem here is the use of '$$' in temporary file creation. mkstemp(3) is there for a reason: NAME mkstemp - create a unique temporary file Just my $.02. :) Cheers, Ryan +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW Guardian Digital, Inc. ryan () guardiandigital com +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ On Mon, 11 Dec 2000, Thomas Corriher wrote:
So many of these problems would just disappear if the system's default profile had something like "$TMPDIR=$HOME" or "$TMPDIR=$HOME/tmp". Pine is not really the problem. Poorly configured systems are the problem. Linux distributors: are you paying attention? Why should all users be given full access to any directory; especially if most programs are designed to use that directory by default? It is time that we wake up certain corporations and software distribution companies. This sloppiness should not be tolerated. This type of problem appears again, and again, and again; yet these problems could be fixed with a one-liner. Oh the insanity! I am not even an expert on security matters, but I do know enough about the basics to realize that many default configurations are incredibly stupid.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6Nt9UIwAIA9MpKWcRAgpVAJ0ZTeB3cCPvV5RgbzUqdSXA+Q4FHgCfbxjg 7PvBnp4ReLVu2eNq2IMpMLc= =eSD8 -----END PGP SIGNATURE-----
Current thread:
- Re: [hacksware]Pine temporary file hijacking vulnerability, (continued)
- Re: [hacksware]Pine temporary file hijacking vulnerability Thomas Corriher (Dec 13)
- Re: where user temp files should go, env var names Peter W (Dec 14)
- Re: where user temp files should go, env var names Andrzej Chabierski (Dec 16)
- Re: where user temp files should go, env var names Valdis Kletnieks (Dec 18)
- Re: where user temp files should go, env var names Aaron Drew (Dec 18)
- Re: where user temp files should go, env var names Mike A. Harris (Dec 19)
- Re: where user temp files should go, env var names Nick Phillips (Dec 21)
- Re: where user temp files should go, env var names Peter J . Holzer (Dec 21)
- Re: where user temp files should go, env var names Doug Wyatt (Dec 21)
- Message not available
- Re: where user temp files should go, env var names Jay R. Ashworth (Dec 21)
- Re: where user temp files should go, env var names Peter W (Dec 14)
- Re: [hacksware]Pine temporary file hijacking vulnerability Thomas Corriher (Dec 13)
- Re: [hacksware]Pine temporary file hijacking vulnerability Christopher X. Candreva (Dec 14)