Perl Cache-Cache version 1.06 suffers from an insecure permission vulnerability.
37ffab0c7b687666bcf779dfc51ce9d345e58e91e512e603ede4b5e82c37b6b5
FileCache: tmp file permission vulnerability.
Larry W. Cashdollar
Vapid Labs http://vapid.dhs.org
2/16/2010
Perl Cache-Cache-1.06 is a memory and file caching module for perl. It
stores its default file cache in /tmp with world read/write permissions. A
local attacker can use this cache to glean information from applications
using module. Regardless of weather the transaction is taking place over an
encrypted SSL session.
root@dev-unix-sec01:/tmp# ls -l --color=no
total 200
drwxrwxrwx 3 root root 4096 Feb 10 12:53 FileCache
root@dev-unix-sec01:/tmp/FileCache/Default# ls -l --color=no
total 64
drwxrwxrwx 17 root root 4096 Feb 11 16:10 0
drwxrwxrwx 18 root root 4096 Feb 10 15:50 1
drwxrwxrwx 18 root root 4096 Feb 11 16:11 2
drwxrwxrwx 16 root root 4096 Feb 11 16:09 3
drwxrwxrwx 18 root root 4096 Feb 10 15:51 4
drwxrwxrwx 17 root root 4096 Feb 11 16:09 5
drwxrwxrwx 18 root root 4096 Feb 10 15:51 6
drwxrwxrwx 15 root root 4096 Feb 11 16:09 7
drwxrwxrwx 17 root root 4096 Feb 10 15:51 8
drwxrwxrwx 18 root root 4096 Feb 11 16:10 9
drwxrwxrwx 17 root root 4096 Feb 10 15:51 a
drwxrwxrwx 17 root root 4096 Feb 11 16:09 b
drwxrwxrwx 17 root root 4096 Feb 11 16:10 c
drwxrwxrwx 18 root root 4096 Feb 11 16:11 d
drwxrwxrwx 17 root root 4096 Feb 11 16:09 e
drwxrwxrwx 16 root root 4096 Feb 11 16:10 f
root@dev-unix-sec01:/tmp/FileCache/Default/f/f/9# ls -l --color=no
total 64
-rw-r--r-- 1 root root 8035 Feb 12 08:39
ff9984b83c656ad4884e116bcf60fdca16be6483
-rw-r--r-- 1 root root 51521 Feb 12 08:37
ff9ebcc002b4067391f0baae96c3e23e8ef248a8
root@dev-unix-sec01:/tmp/FileCache/Default/f/f/9#
root@dev-unix-sec01:/tmp/FileCache/Default/f/f/9# strings
ff9984b83c656ad4884e116bcf60fdca16be6483 |more
prod-mail-list02.example.com
Cache::Object
_Size Kv
_Expires_At
_Key KuZ
_Created_At
adduser-3.105ubuntu1
apache2-2.2.8-1ubuntu0.11
apache2.2-common-2.2.8-1ubuntu0.11
apache2-mpm-worker-2.2.8-1ubuntu0.11
apache2-utils-2.2.8-1ubuntu0.11
apt-0.7.9ubuntu17.2
aptitude-0.4.9-2ubuntu5
apt-utils-0.7.9ubuntu17.2
at-3.1.10ubuntu4
atsar-1.7-2
base-files-4.0.1ubuntu5.8.04.7
base-passwd-3.5.16
This can be fixed with a simple patch:
larry@brazil:~/Desktop/Cache-Cache-1.06/lib/Cache$ diff -Nur FileCache.pm
1
--- FileCache.pm 2009-02-28 19:53:14.000000000 -0500
+++ 1 2010-02-12 21:13:31.000000000 -0500
@@ -35,7 +35,7 @@
# by default, the root of the cache is located in 'FileCache'. On a
# UNIX system, this will appear in "/tmp/FileCache/"
-my $DEFAULT_CACHE_ROOT = "FileCache";
+my $DEFAULT_CACHE_ROOT = qw(FileCache_) . $>;
# by default, the directories in the cache on the filesystem should
@@ -43,7 +43,7 @@
# potential security concern, the actual cache entries are written
# with the user's umask, thus reducing the risk of cache poisoning
-my $DEFAULT_DIRECTORY_UMASK = 000;
+my $DEFAULT_DIRECTORY_UMASK = 077;
sub Clear
Cache::cache is no longer being developed,
http://search.cpan.org/~jswartz/CHI-0.34/lib/CHI.pm should be used instead.
http://vapid.dhs.org/w/doku.php?id=perl_cache:cache_filecache_permissions_issue
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed