[18039] in bugtraq
Re: [hacksware]Pine temporary file hijacking vulnerability
daemon@ATHENA.MIT.EDU (Thomas Corriher)
Tue Dec 12 18:55:14 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0012111647190.3607-100000@desktop.ast>
Date: Mon, 11 Dec 2000 17:00:49 -0500
Reply-To: corriher@bellsouth.net
From: Thomas Corriher <corriher@BELLSOUTH.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0012111741270.7292-100000@ivntech.com>
So many of these problems would just disappear if the
system's default profile had something like "$TMPDIR=$HOME"
or "$TMPDIR=$HOME/tmp". Pine is not really the problem.
Poorly configured systems are the problem. Linux
distributors: are you paying attention? Why should all
users be given full access to any directory; especially if
most programs are designed to use that directory by default?
It is time that we wake up certain corporations and software
distribution companies. This sloppiness should not be
tolerated.
This type of problem appears again, and again, and again; yet
these problems could be fixed with a one-liner. Oh the insanity!
I am not even an expert on security matters, but I do know enough
about the basics to realize that many default configurations are
incredibly stupid.
--
From the desk of Thomas Corriher
Sent via Red Hat Linux
Phone: +1-704-921-2470
