[Am-info] GAIM dumps authentication information into /tmp/ files
Fred A. Miller
fm@cupserv.org
Fri, 17 May 2002 15:51:12 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
GAIM dumps authentication information into /tmp/ files
GAIM version 0.57 creates insecure temporary files in /tmp/ when the
user uses the 'check MSN hotmail' option. The files are world-readable
and contain session information that could allow a local attacker
to recover the files and access the user's mailbox without requiring
authentication.
This vulnerability is confirmed; a fix was committed to the GAIM CVS.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0584.html
- --
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
- --- SuSE Linux v8.0 Pro---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAjzlXy8ACgkQB9vk4ichYXesgwCglWGLOaMEBeLi/GnSkC0WIaMy
jPcAn2Y2CKex1a90ZyVst8ZfIoX/kf/S
=8QfS
-----END PGP SIGNATURE-----