| September 11 2017 | File::Path Security | Back Next |
February 2017: John Lightsey of the cPanel security team notified us:
In a nutshell, the chmod() logic to make directories traversable can be
abused to set the mode on an attacker-chosen file to an attacker chosen
value. This is due to the TOCTOU race condition between the stat() that
decides the inode is a directory and the chmod() that tries to make it
user-rwx.
Similar to a vulnerability described 12 years earlier in CVE-2005-0448
Provided example which sets /etc/passwd to 4777 (setuid and world writable).
| Home Last TOC | Copyright © 2017 James E Keenan | Back Next |