Joe Text Editor DEADJOE Symbolic Link Vulnerability

joe is a text editor by Joseph Allen, which features familar functions to users of both Microsoft text editors and vi users. A problem occurs with the editor when a session abnormally exits.

Upon abnormal exit, the text editor saves any changes made to the file being edited into a new file in the current working directory labeled DEADJOE. When saving this file, the text editor does not check for the file type. A user editing a file in a directory writable by others could be subject to having other files written to if a malicious user were to symbollically link the DEADJOE file to one of owner/group write access of the user. This would result in the contents of the joe session being appended to the symbolically linked file, potentially corrupting the linked file.


 

Privacy Statement
Copyright 2010, SecurityFocus