Julien Danjou wrote: > > Hole 6: > > > > Driver::sqlite writes to /tmp/sessions.sqlt by default. I have not > > checked to see if DBI->connect opens the file with O_EXCL, but I doubt > > it, so again we have symlink attacks. > > > > Hole 7: > > > > Also we again have the situation where an attacker can create the file > > in /tmp full of malicious data that exploits any holes in squlite, > > and wait for someone to use Driver::db_file for the first time. I have > > not checked to see if it creates world readable files too, but I'm > > guessing it does. > > Don't know how to handle this right now, and not sure this is > CGI::Session bug, maybe a DBI one.
Maybe this could be fixed by having CGI::Session create/open the file with O_EXCL before using DBI. Assuming an empty file would not confuse DBI, this would prevent attacks. Alternatively, it could safely create a temporary directory and tell DBI to write to a file in there. I think this bug should probably be reopened to make sure these last security holes don't get forgotten. -- see shy jo
signature.asc
Description: Digital signature
