jpilot World Readable Storage Directory Vulnerability

jpilot is a palm device synching suite designed to run on the Linux Operating System, and written by Judd Montgomery. A problem exists which could allow users unauthorized access to sensitive information.

The problem occurs in the creation of the .jpilot directory. jpilot stores all information from the palm device in a .jpilot directory in the users $HOME. The directory and files in the tree are created with the permissions inherited by $UMASK, which on most systems defaults to 0755 for directories and 0644 for files. This makes it possible for any user on the local system with access to the users $HOME directory to descend the .jpilot tree, and read the contents. It is possible for a user with malicious intent to scour these files for information that my lead to other threats.


Privacy Statement
Copyright 2010, SecurityFocus