Full Disclosure mailing list archives
Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 9 Mar 2007 13:47:03 -0500
So, let me get this. An app storing sensitive data doesn't make its own temp storage folders in a secure location, and instead relies upon one of the few folders in Windows that all users have Full Control to, and this is a Windows problem? In Linux, if an app uses \tmp, is that a Linux issue? Sounds like a developer issue to me.
No, I never said I blame Windows for a poorly written app such as this. Don't jump to conclusions. Many developers might think using predictable filenames in TEMP might be ok, since Windows doesn't (yet) have issues related to symlink attacks. However, ZARAZA has shown a few ways to exploit this lame practice anyway, beyond just a DoS. That's all I'm saying. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 08)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Tim (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Tim (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Laundrup, Jens (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Tim (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 10)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 10)
- Message not available
- Message not available
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues KJKHyperion (Mar 10)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues czino2 (Mar 11)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues 3APA3A (Mar 09)
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Roger A. Grimes (Mar 09)
- Message not available
- Re: Microsoft Windows Vista/2003/XP/2000 file management security issues steven (Mar 09)