Date: Sun, 13 Jun 2010 23:04:30 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request - pyftpd insecure usage of temporary directory Pyftpd creates log-file to a temporary directory using predictable name. This allows a local attacker to create a denial of service condition and discloses sensitive information to unprivileged users. For example accounts of other users connecting to server and paths they visit. One should use tempfile.mkstemp <http://docs.python.org/library/tempfile.html#tempfile.mkstemp> or use /var/log/ -directory instead of /tmp/ and use proper file system modes for the log-file. This affects version: 0.8.4 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585773 Can I have CVE-identifier for this issue? --- Henri Salo
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ