Henri Salo | 13 Jun 22:04 2010

CVE request - pyftpd insecure usage of temporary directory

Pyftpd creates log-file to a temporary directory using predictable
name. This allows a local attacker to create a denial of service
condition and discloses sensitive information to unprivileged users.
For example accounts of other users connecting to server and paths they

One should use tempfile.mkstemp
<http://docs.python.org/library/tempfile.html#tempfile.mkstemp> or
use /var/log/ -directory instead of /tmp/ and use proper file system
modes for the log-file.

This affects version: 0.8.4


Can I have CVE-identifier for this issue?

Henri Salo