Your message dated Wed, 15 Mar 2006 03:47:08 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#356555: fixed in libcgi-session-perl 4.07-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libcgi-session-perl
Version: 4.03-1
Severity: grave
Tags: security
Hole 1:
CGI::Session with its default Driver::File contains this insecure code:
$self->{Directory} ||= File::Spec->tmpdir();
my $directory = $self->{Directory};
my $path = File::Spec->catfile($directory, $file);
unless ( sysopen(FH, $path, O_RDONLY) ) {
File::Spec->tmpdir default to /tmp, and this is where CGI::Session
defaults to storing its temporary files. Therefore, it writes files to
/tmp without the O_EXCL flag set when opening them.
This makes it vulnerable to symlink attacks when used with these default
settings, provided that you can guess what session id will be generated
before time. Of course session ids are supposed to be hard to guess,
that's the point of them, but a failure mode that includes overwriting
arbitrary files is a bit worse than would be expected. I suggest adding
| O_EXCL to close this hole.
Hole 2:
Notice that the sysopen above does not include permissions. So with a
standard umask, the session file defaults to world readable, and anyone
on the machine can get access to all the session keys and whatever is
secured via them, and whatever else is stored in the session files. I
can see no reason not to pass a mode of 0400 to the sysopen above.
Setting umask(077) before creating the session object will work around
this problem. I know that perl's philisophy is to respect the umask by
default, but I think that in this case a secure default is more
important.
Hole 3:
Driver::db_file has documentation that falsely claims to write to
/tmp/cgisessions.db by default, when in fact it seems to default to
writing to ./cgisess.db. If your cgi script is ~/public_html/my.cgi,
then it will unexpectedly write to ~/public_html/cgisess.db, which will
be publically accessible, since it writes the file mode 644. Remote
users can then download the file and take over other's sessions.
Hole 4:
If you write the file somewhere else, then it's still mode
644, so local users can read all the session data from it.
Setting umask(077) before creating the session object is a way to
work around the permissions issue.
Hole 5:
If you use Driver::db_file and specify a FileName for the file (like the
example does in the man page), you can get it to write to /tmp, which is
again subject to symlink attacks.
There's an attack possible the first time the file is created, but a
better attack is against the .lck file used for locking, which is
written to the same directory, and which is opened without O_EXCL.
Just start creating a symlink /tmp/cgisessions.db.lck -> /some/file in a
loop, hit the CGI script that uses CGI::Sessions a few times until you win
the race, and voila, /some/file has been zeroed.
/var/log/apache2/access.log might be a good candidate for /some/file..
Hole 6:
Driver::sqlite writes to /tmp/sessions.sqlt by default. I have not
checked to see if DBI->connect opens the file with O_EXCL, but I doubt
it, so again we have symlink attacks.
Hole 7:
Also we again have the situation where an attacker can create the file
in /tmp full of malicious data that exploits any holes in squlite,
and wait for someone to use Driver::db_file for the first time. I have
not checked to see if it creates world readable files too, but I'm
guessing it does.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages libcgi-session-perl depends on:
ii perl [libdigest-md5-perl] 5.8.8-2 Larry Wall's Practical Extraction
libcgi-session-perl recommends no packages.
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: libcgi-session-perl
Source-Version: 4.07-1
We believe that the bug you reported is fixed in the latest version of
libcgi-session-perl, which is due to be installed in the Debian FTP archive:
libcgi-session-perl_4.07-1.diff.gz
to pool/main/libc/libcgi-session-perl/libcgi-session-perl_4.07-1.diff.gz
libcgi-session-perl_4.07-1.dsc
to pool/main/libc/libcgi-session-perl/libcgi-session-perl_4.07-1.dsc
libcgi-session-perl_4.07-1_all.deb
to pool/main/libc/libcgi-session-perl/libcgi-session-perl_4.07-1_all.deb
libcgi-session-perl_4.07.orig.tar.gz
to pool/main/libc/libcgi-session-perl/libcgi-session-perl_4.07.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Danjou <[EMAIL PROTECTED]> (supplier of updated libcgi-session-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 15 Mar 2006 11:43:24 +0100
Source: libcgi-session-perl
Binary: libcgi-session-perl
Architecture: source all
Version: 4.07-1
Distribution: unstable
Urgency: low
Maintainer: Julien Danjou <[EMAIL PROTECTED]>
Changed-By: Julien Danjou <[EMAIL PROTECTED]>
Description:
libcgi-session-perl - Persistent session data in CGI applications
Closes: 356555
Changes:
libcgi-session-perl (4.07-1) unstable; urgency=low
.
* New upstream release
* Update build-deps and deps
* Add dpatch support
* Add patch to fix several security holes (Closes: #356555)
Files:
1cdd475ba6d0606a9eb2f35ad00bc218 632 perl optional
libcgi-session-perl_4.07-1.dsc
83e98eff0f3d76db8db1c1b02a6a4b8e 53183 perl optional
libcgi-session-perl_4.07.orig.tar.gz
216e5ec201c93a9f641833584b6388e3 2979 perl optional
libcgi-session-perl_4.07-1.diff.gz
1635959d77b2980d7eb65f767c85d5e6 106366 perl optional
libcgi-session-perl_4.07-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEF/vNpGK1HsL+5c0RAlbQAKCYtknR6uj4yK80KTD8muNYwYEsGwCgjhQi
qKWkWWfq0OCCVT1msxY4CRU=
=BOqh
-----END PGP SIGNATURE-----
--- End Message ---
