OpenBSD VuXML: Documenting security issues in the OpenBSD Ports & Packages Collection

ruby -- insecure file permissions

Affected packages
ruby < 1.8.1p1

Details

VuXML ID 81639df2-efe8-11d8-a1f0-00304f19272c
Discovery 2004-07-22
Entry 2004-08-17

Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.

References

CVE Name CAN-2004-0755
URL http://www.nl.debian.org/security/2004/dsa-537

Copyright © 2003-2005 Jacques Vidrine, Robert Nagy, and contributors.
Please see the source of this document for full copyright information.