thr3ads.net - Secure testing team - [Secure-testing-team] Bug#683649: extplorer: creates world writable directory /var/lib/extplorer/ftp

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Andreas Beckmann

2012-Aug-02 14:14 UTC

[Secure-testing-team] Bug#683649: extplorer: creates world writable directory /var/lib/extplorer/ftp_tmp

Package: extplorer
Version: 2.1.0b6+dfsg.3-3
Severity: grave
Tags: security
Justification: user security hole
User: debian-qa at lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed that your packages creates a world
writable directory:

    drwxrwxrwx 2 root root 60 Aug  1 07:46 /var/lib/extplorer/ftp_tmp

There any local user may delete/replace arbitrary files that were not
created by the user himself.

If the write permissions cannot be restricted to a user or group, the
sticky bit should be set on the directory to prevent users from
manipulating files they don''t own.


Andreas

Secure testing team - Aug 2012 - Bug#683649: extplorer: creates world writable directory /var/lib/extplorer/ftp_tmp

[Secure-testing-team] Bug#683649: extplorer: creates world writable directory /var/lib/extplorer/ftp_tmp