CGI::Session Driver::db_file cgisess.db Remote Disclosure

2006-03-12T16:17:39
ID OSVDB:23867
Type osvdb
Reporter Joey Hess(joeyh@debian.org)
Modified 2006-03-12T16:17:39

Description

Vulnerability Description

CGI::Session contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when Driver::db_file writes to the cgisess.db file with insecure permissions, which will disclose session information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Julien Danjou has released a patch to address this vulnerability.

Short Description

CGI::Session contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when Driver::db_file writes to the cgisess.db file with insecure permissions, which will disclose session information resulting in a loss of confidentiality.

References:

Vendor URL: http://search.cpan.org/~markstos/CGI-Session-4.07/ Vendor Specific News/Changelog Entry: http://bugs.debian.org/356555 Secunia Advisory ID:19211 Related OSVDB ID: 23865 Related OSVDB ID: 23866 FrSIRT Advisory: ADV-2006-0946 CVE-2006-1280 Bugtraq ID: 17099