[Full-Disclosure] Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)
From: Martin (broadcast_at_ptraced.net)
Date: 10/24/04
- Previous message: Matthias Geerdsen: "[Full-Disclosure] [ GLSA 200410-23 ] Gaim: Multiple vulnerabilities"
- Next in thread: Daniel Veditz: "Re: [Full-Disclosure] Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)"
- Reply: Daniel Veditz: "Re: [Full-Disclosure] Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Sun, 24 Oct 2004 19:09:05 -0200
Advisory attached.
Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)
Martin (broadcast@ptraced.net)
-------------------
Program Description
-------------------
"Thunderbird, our latest email program, includes intelligent spam
filters, spell-checking, security, customization, and newsgroups
support."
www.mozilla.org
-------------------
Problem Description
-------------------
When opening an attachment, or a link included in an email, Thunderbird
prompts the user with a dialog box, giving the choice to "Save to Disk"
or to "Open with" <default program>.
For example, we receive a PDF document attached, and on the Attachments
section, we choose "Open".
broadcast:/tmp$ ls -l *.pdf
-rw------- 1 broadcast broadcast 2002560 2004-10-24 18:38 wskbq43m.pdf
While the dialog box is still open, the file permissions are OK, and the
filename is random (except for the extension).
If we choose to save it to disk, and check /tmp again:
broadcast:/tmp$ ls -l *.pdf
ls: *.pdf: No such file or directory
Great, it's gone. Now let's choose to open it with the default viewer
(in my case, xpdf).
Again, while the dialog box is open, there are no apparent problems.
broadcast:/tmp$ ls -l *.pdf
-rw------- 1 broadcast broadcast 2002560 2004-10-24 18:42 hp1h30si.pd
But after choosing to open it with xpdf:
broadcast:/tmp$ ls -l *.pdf
-rw-r--r-- 1 broadcast broadcast 2002560 2004-10-24 18:42 programming.pdf
The file becomes world readable, until the user closes xpdf, or whatever
application he chose to read the attachment.
Also, the filename becomes predictable, but if the filename already
exists on /tmp, Thunderbird will choose a similar filename, and won't
work on the existing one.
This exact issue affects Mozilla Firefox 0.9.3. I haven't tested
older/newer versions, and all of this was tested under Debian Unstable.
A copy of this advisory and future updates on this issue may be found on:
http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Matthias Geerdsen: "[Full-Disclosure] [ GLSA 200410-23 ] Gaim: Multiple vulnerabilities"
- Next in thread: Daniel Veditz: "Re: [Full-Disclosure] Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)"
- Reply: Daniel Veditz: "Re: [Full-Disclosure] Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
