Ruby insecure file permissions in the CGI session management

2004-08-16T00:00:00
ID E811AAF1-F015-11D8-876F-00902714CC7C
Type freebsd
Reporter FreeBSD
Modified 2004-08-28T00:00:00

Description

According to a Debian Security Advisory:

Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore [...]) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.