Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Henri Salo <henri-k++t0c9yR9I <at> public.gmane.org>
Subject: CVE request - pyftpd insecure usage of temporary directory
Newsgroups: gmane.comp.security.oss.general
Date: Sunday 13th June 2010 20:04:30 UTC (over 6 years ago)
Pyftpd creates log-file to a temporary directory using predictable
name. This allows a local attacker to create a denial of service
condition and discloses sensitive information to unprivileged users.
For example accounts of other users connecting to server and paths they
visit.

One should use tempfile.mkstemp
<http://docs.python.org/library/tempfile.html#tempfile.mkstemp>
or
use /var/log/ -directory instead of /tmp/ and use proper file system
modes for the log-file.

This affects version: 0.8.4

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585773

Can I have CVE-identifier for this issue?

---
Henri Salo
 
CD: 4ms