Bug#659379: uzbl: world-readable (and writable!) cookie jar

Fri, 10 Feb 2012 08:12:19 -0800 

Package: uzbl
Version: 0.0.0~git.20100403-3
Severity: grave
Tags: security
Justification: user security hole

$ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
drwxr-xr-x 3 user users 4096 Feb  9 23:29 /home/user/.local/
drwxr-xr-x 4 user users 4096 Feb  9 23:29 /home/user/.local/share/
drwxr-xr-x 2 user users 4096 Feb  9 23:29 /home/user/.local/share/uzbl/
-rw-rw-rw- 1 user users  732 Feb  9 23:29 
/home/user/.local/share/uzbl/cookies.txt

This allows local users to steal cookies (and tamper with them).

--
Jakub Wilk



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to