FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Ruby insecure file permissions in the CGI session management

Affected packages
ruby < 1.6.8.2004.07.26
1.7.0 <= ruby < 1.8.1.2004.07.23

Details

VuXML ID e811aaf1-f015-11d8-876f-00902714cc7c
Discovery 2004-08-16
Entry 2004-08-16
Modified 2004-08-28

According to a Debian Security Advisory:

Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore [...]) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.

References

CVE Name CVE-2004-0755
Message http://marc.theaimsgroup.com/?l=bugtraq&m=109267579822250&w=2
URL http://www.debian.org/security/2004/dsa-537
URL http://xforce.iss.net/xforce/xfdb/16996