J-Pilot Permissions Vulnerability

[Weston Pawlowski <bug () WESTON CX>]

J-Pilot automatically creates a ".jpilot"
directory in the user's home directory to store
preferences and backed up PalmOS device data. The
permissions for this directory are mode 755, and
files in the directory are mode 644; this allows
anyone with only minimal access to the user's home
directory to also access thier PalmOS device's
backup data, including private records.

Because ".jpilot" is often hidden due to the
leading '.', this insecurity is often unnoticed.
This is a big concern for J-Pilot users because it
is common for home directories to be world
executable, often due to a "public_html" directory
for HTTP content which requires the user's home
directory to be at least world executable.

So in summary, if there is a user named "joe" who
uses J-Pilot, any user on the system could type
"cd +AH4-joe/.jpilot" and read all of joe's PalmOS
data including private records. This is dependant
on joe's home directory being world executable or
not, but it often is.

The good news is that it's probably not very
common for someone to sync their PalmOS device on
a system that many, if any, other people have
shell access to. But, if this situation does
happen, the vulnerable user is likely to be the
owner of the machine (since he has to be local),
and there's the possibility that he may keep a
password list on his PalmOS device. In which case,
any user could get the system admin's passwords,
which obviously may include the system's root
password.

The fix is to simply type "chmod 700 +AH4-/.jpilot"

-Weston