[Full-disclosure] FileCache: tmp file permission vulnerability.
paul.szabo at sydney.edu.au
paul.szabo at sydney.edu.au
Sat Apr 3 07:35:24 BST 2010
Vladimir Lettiev <thecrux at gmail.com> wrote:
>> Perl Cache-Cache-1.06 ... stores its default file cache
>> in /tmp with world read/write permissions. ...
>
> This is documented behaviour. You can override insecure default cache
> root and umask with options 'cache_root' and 'directory_umask':
> use Cache::FileCache;
> use File::Temp qw/ tempdir /;
> my $cache = new Cache::FileCache( {
> 'cache_root' => tempdir('CacheXXXXX'),
> 'directory_umask' => 077,
> } );
The default should be secure. Interested people, with intimate knowledge
of inner workings, might go to contortions and change to insecure.
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Full-Disclosure is hosted and sponsored by Secunia.