EjabberD Installer Insecure Temporary File Creation Vulnerability
BID:17804
Info
EjabberD Installer Insecure Temporary File Creation Vulnerability
| Bugtraq ID: | 17804 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | May 02 2006 12:00AM |
| Updated: | May 04 2006 09:45PM |
| Credit: | This vulnerability was discovered by Julien L. |
| Vulnerable: |
ejabberd ejabberd 1.1.1_1 ejabberd ejabberd 1.1.1_0 BitRock Install Builder Professional 3 BitRock Install Builder for Linux 3 BitRock Install Builder Enterprise 3 |
| Not Vulnerable: |
ejabberd ejabberd 1.1.1 _2 |
Discussion
EjabberD Installer Insecure Temporary File Creation Vulnerability
The ejabberd server creates temporary files in an insecure manner.
An attacker with local access could potentially exploit this issue to perform symlink attacks, overwriting arbitrary files in the context of the affected application.
A successful attack would most likely result in loss of confidentiality and theft of privileged information. Successful exploitation of a symlink attack may allow an attacker to overwrite sensitive files. This may result in a denial of service; other attacks may also be possible.
This issue reportedly exists in the installer-generating program that ejabberd utilizes to create the installation package.
The ejabberd server creates temporary files in an insecure manner.
An attacker with local access could potentially exploit this issue to perform symlink attacks, overwriting arbitrary files in the context of the affected application.
A successful attack would most likely result in loss of confidentiality and theft of privileged information. Successful exploitation of a symlink attack may allow an attacker to overwrite sensitive files. This may result in a denial of service; other attacks may also be possible.
This issue reportedly exists in the installer-generating program that ejabberd utilizes to create the installation package.
Exploit / POC
EjabberD Installer Insecure Temporary File Creation Vulnerability
An attacker uses available commands to exploit the issue.
An attacker uses available commands to exploit the issue.
Solution / Fix
EjabberD Installer Insecure Temporary File Creation Vulnerability
Solution:
The vendor has released an updated version of ejabberd to address this issue.mailto:[email protected]
ejabberd ejabberd 1.1.1_1
ejabberd ejabberd 1.1.1_0
Solution:
The vendor has released an updated version of ejabberd to address this issue.mailto:[email protected]
ejabberd ejabberd 1.1.1_1
-
ejabberd ejabberd-1.1.1_2-linux-installer.bin
http://www.process-one.net/en/projects/ejabberd/download/1.1.1/ejabber d-1.1.1_2-linux-installer.bin
ejabberd ejabberd 1.1.1_0
-
ejabberd ejabberd-1.1.1_2-linux-installer.bin
http://www.process-one.net/en/projects/ejabberd/download/1.1.1/ejabber d-1.1.1_2-linux-installer.bin
References
EjabberD Installer Insecure Temporary File Creation Vulnerability
References:
References: