oss-sec mailing list archives
Re: CVE request - pyftpd insecure usage of temporary directory
From: Josh Bressers <bressers () redhat com>
Date: Mon, 14 Jun 2010 15:34:57 -0400 (EDT)
Please use CVE-2010-2072 for this. Thanks. -- JB ----- "Henri Salo" <henri () nerv fi> wrote:
Pyftpd creates log-file to a temporary directory using predictable name. This allows a local attacker to create a denial of service condition and discloses sensitive information to unprivileged users. For example accounts of other users connecting to server and paths they visit. One should use tempfile.mkstemp <http://docs.python.org/library/tempfile.html#tempfile.mkstemp> or use /var/log/ -directory instead of /tmp/ and use proper file system modes for the log-file. This affects version: 0.8.4 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585773 Can I have CVE-identifier for this issue? --- Henri Salo
Current thread:
- CVE request - pyftpd insecure usage of temporary directory Henri Salo (Jun 13)
- Re: CVE request - pyftpd insecure usage of temporary directory Josh Bressers (Jun 14)