Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

kde.kmail.tmp.dir.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

KDE K-Mail has a vulnerability allowing local attackers to compromise user IDs via insecure directories.

Code
`Date: Wed, 9 Jun 1999 14:52:49 -0700  
From: [email protected]  
Reply-To: X-Force <[email protected]>  
To: [email protected]  
Subject: ISSalert: ISS Security Advisory: KDE K-Mail File Creation Vulnerability  
  
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to  
[email protected] Contact [email protected] for help with any problems!  
---------------------------------------------------------------------------  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
ISS Security Advisory  
June 9, 1999  
  
KDE K-Mail File Creation Vulnerability  
  
Synopsis:  
  
Internet Security Systems (ISS) X-Force has discovered a vulnerability in  
KDE's K-Mail mail user agent software. KDE is a very popular window manager  
available for most Unix platforms, and provides an easy-to-use interface and  
a number of graphical front ends to common command-line Unix applications.  
K-Mail contains a vulnerability that may allow local attackers to compromise  
the UID of whoever is running K-Mail. The mail client creates insecure  
temporary directories that are used to store MIME encoded files.  
  
Affected Versions:  
  
ISS X-Force has confirmed that this vulnerability exists on version 1.1 of  
KDE window management software.  
  
To determine if you are vulnerable, run the KDE Control Center application  
and see if the version of KDE reported is 1.1 or earlier.  
  
Description:  
  
When K-Mail receives an e-mail with attachments, it creates a directory to  
store the attachments. K-Mail does not verify that the directory already  
exists, and is willing to follow symbolic links, allowing local attackers to  
create files with the contents they choose in any directory writable by the  
user executing K-Mail. If K-Mail is run as root, unauthorized superuser  
access may be obtained.  
  
Fix Information:  
  
KDE has a patch that addresses this vulnerability. It can be retrieved at:  
  
ftp://ftp.kde.org/pub/kde/security_patches/kmail-security-patch.diff  
  
Additional Information:  
  
Information in this advisory was obtained by the research of Brian Mitchell  
[email protected]. ISS X-Force would like to thank Stefan Taferner, Markus  
Wuebben, and the entire KDE organization for their rapid response to this  
vulnerability.  
  
________  
  
Copyright (c) 1999 by Internet Security Systems, Inc. Permission is  
hereby granted for the electronic redistribution of this Security Alert.  
It is not to be edited in any way without express consent of the X-Force.  
If you wish to reprint the whole or any part of this Alert Summary in any  
other medium excluding electronic medium, please e-mail [email protected] for  
permission  
  
About ISS  
ISS is the pioneer and leading provider of adaptive network security  
software delivering enterprise-wide information protection solutions. ISS'  
award-winning SAFEsuite family of products enables information risk  
management within intranet, extranet and electronic commerce environments.  
By combining proactive vulnerability detection with real-time intrusion  
detection and response, ISS' adaptive security approach creates a flexible  
cycle of continuous security improvement, including security policy  
implementation and enforcement. ISS SAFEsuite solutions strengthen the  
security of existing systems and have dramatically improved the security  
posture for organizations worldwide, making ISS a trusted security advisor  
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks  
and over 35 governmental agencies. For more information, call ISS at  
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.  
  
Disclaimer  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties with regard to this information. In no event shall the  
author be liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as  
well as on MIT's PGP key server and PGP.com's key server.  
  
Please send suggestions, updates, and comments to:  
X-Force <[email protected]> of Internet Security Systems, Inc.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3a  
Charset: noconv  
  
iQCVAwUBN17KEjRfJiV99eG9AQFoKwQAr+KcaxMp3mfYo7THfT02+XS7FS6fiMzk  
PX1y5fVSoArxqbDnjCkDlmCNrXgI+1Di+ppma3TYJdyemEZfylNeic3WHaCrIcg6  
ntZ1Q4/EgnXmC0dPEK/wugGuO/WWLPKww7m1HYnt3sAwVTN5VOYQtdrBXR2XtBnY  
1Tt8b5HVqCw=  
=Qv9+  
-----END PGP SIGNATURE-----  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
kdek-mailfile creation vulnerabilitylocal attackersuid compromiseinsecure temporary directoriespatch availableversion confirmation.
37