GeneWeb maintainer scripts insecure file permissions
| geneweb-insecure-file-permission (20176) |  Medium Risk |
Description:
GeneWeb could allow a local attacker to modify arbitrary files caused by insecure permissions in the maintainer scripts. This vulnerability is that while upgrading GeneWeb, the maintainer scripts fail to verify file permissions and content information. A local attacker could exploit this vulnerability by modifying arbitrary files on the system with privileges of the user running the maintainer scripts.
Platforms Affected:
- Daniel de Rauglaudre, GeneWeb 4.10 and prior
- Debian, Debian Linux 3.0
Remedy:
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of geneweb (4.06-2woody1 or later), as listed in DSA-712-1. See References.
Consequences:
File Manipulation
References:
- GeneWeb Web site, GeneWeb at http://pauillac.inria.fr/~ddr/GeneWeb/en/.
- BID-13262: GeneWeb Maintainer Scripts Unspecified Insecure File Operations Vulnerability
- CVE-2005-0391: geneweb 4.10 and earlier does not properly check file permissions and content during conversion, which allows attackers to modify arbitrary files.
- DSA-712: geneweb -- insecure file operations
Reported:
Apr 18, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net