Debian Security Advisory DSA 2649-1 (lighttpd - fixed socket name in world-writable directory)

Stefan Bühler discovered that the Debian specific configuration file for lighttpd webserver FastCGI PHP support used a fixed socket name in the world-writable /tmp directory. A symlink attack or a race condition could be exploited by a malicious user on the same machine to take over the PHP contr...

Information disclosure

Inkscape before 0.48.4 reads .eps files from /tmp instead of the current directory, which might cause Inkspace to process unintended files, allow local users to obtain sensitive information, and possibly have other unspecified impacts...

rpi-update tmpfile vulnerability

Raspberry Pi Firmware Updater Vulnerability Application: https://github.com/Hexxeh/rpi-update/ Version Tested: Github source as of 10ad1e975a 10th Feb commit Vulnerability 1: A malicious user can clobber any file due to insecure tmp file handling. Example: Any unprivileged user can create the...

OpenFabrics ibutils 1.5.7 /tmp File Clobber

OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability 3/6/2013 Larry W. Cashdollar @larry0 The infiniband diagnostic utiltiy handles files in /tmp insecurely. A malicious user can clobber root owned files with common symlink attacks. http://www.openfabrics.org/downloads/ibutils/ nobody@exdb01...

Raspberry Pi Firmware Updater File Clobber

Raspberry Pi Firmware Updater Vulnerability Application: https://github.com/Hexxeh/rpi-update/ Version Tested: Github source as of 10ad1e975a 10th Feb commit Vulnerability 1: A malicious user can clobber any file due to insecure tmp file handling. Example: Any unprivileged user can create the...

Oracle Auto Service Request File Clobber

Oracle Auto Service Request /tmp file clobbering vulnerability http://www.oracle.com/us/support/systems/premier/auto-service-request-155415.html http://docs.oracle.com/cd/E1847601/doc.220/e18478/asr.htm I noticed it creates files insecurely in /tmp using time stamps instead of mkstemp. You can...

Gambas /tmp Directory Hijack

Gambas Directory hijack vulnerability The gambas software package creates a directory in tmp to work from without verifying another user hasn't already created it. This allows a local user to hijack ownership. Describe the problem. Gambas creates a directory in /tmp called gambas.UID where UID is...

FreeBSD : rubygem-ruby_parser -- insecure tmp file usage (e1aa3bdd-839a-4a77-8617-cca439a8f9fc)

Michael Scherer reports : This is a relatively minor tmp file usage issue. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML database : Copyright 2003-2018 Jacques Vidrine and contributors Redistributi...

CVE-2013-0164

The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Red Hat OpenShift Origin before 1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp...

rubygem-ruby_parser -- insecure tmp file usage

Michael Scherer reports: This is a relatively minor tmp file usage issue...

CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage

The diffpp function in lib/gauntletrubyparser.rb in the rubyparser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp...

CVE-2012-5564

android-tools 4.1.1 in Android Debug Bridge ADB allows local users to overwrite arbitrary files via a symlink attack on /tmp/adb.log...

UBUNTU-CVE-2012-5564

android-tools 4.1.1 in Android Debug Bridge ADB allows local users to overwrite arbitrary files via a symlink attack on /tmp/adb.log...

Design/Logic Flaw

The redirectstderr function in xnbdcommon.c in xnbd-server and xndb-wrapper in xNBD 0.1.0 allow local users to overwrite arbitrary files via a symlink attack on /tmp/xnbd.log...

Oracle Auto Service Request File Clobber

Oracle Auto Service Request software package creates files insecurely in /tmp using time stamps instead of mkstemp. You can clobber root owned files if you know when around the time the root administrator will be using this utility. larry@oracle-os-lab01 tmp$ for x in seq 500 999; do ln -s...

Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : inkscape vulnerabilities (USN-1712-1)

It was discoverd that Inkscape incorrectly handled XML external entities in SVG files. If a user were tricked into opening a specially crafted SVG file, Inkscape could possibly include external files in drawings, resulting in information disclosure. CVE-2012-5656 It was discovered that Inkscape...

PT-2013-1518 · Red Hat · Red Hat Enterprise Virtualization Manager

Name of the Vulnerable Software and Affected Versions: Red Hat Enterprise Virtualization Manager RHEV-M versions prior to 3.1 Description: The issue allows local users to gain privileges via a Trojan horse Python module, specifically deployUtil.py or vds bootstrap.py, in the /tmp/ directory when...

Centrify Deployment Manager 2.1.0.283 Local Root

/Local root exploit for Centrify Deployment Manager v2.1.0.283 local root, Centrify released a fix very quickly - nice vendor response. CVE-2012-6348 12/17/2012 http://vapid.dhs.org/advisories/centrifydeploymentmanagerinsecuretmp2.html Greetings vladz, Thanks for the inotify & syscall technique...

Centrify Deployment Manager v2.1.0.283

Centrify Deployment Manager v2.1.0.283 While at a training session for centrify, I noticed poor handling of files in /tmp. I was able to overwrite /etc/shadow with the contents of adcheckDMoutput. I am sure there are more vulnerabilities to be exploit, maybe a local root - but being this is a...

Centrify Deployment Manager v2.1.0.283 File Overwrite Vulnerability

Centrify Deployment Manager v2.1.0.283 version 2.1.0.283 appears to suffer from a root-level file overwrite vulnerability due to an insecure use of /tmp. Centrify Deployment Manager v2.1.0.283 While at a training session for centrify, I noticed poor handling of files in /tmp. I was able to...