Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19422
HistoryMar 17, 2008 - 12:00 a.m.

[ GLSA 200803-23 ] Website META Language: Insecure temporary file usage

2008-03-1700:00:00
vulners.com
13
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gentoo Linux Security Advisory GLSA 200803-23

                                        http://security.gentoo.org/

Severity: Normal
Title: Website META Language: Insecure temporary file usage
Date: March 15, 2008
Bugs: #209927
ID: 200803-23

Synopsis

Multiple insecure temporary file vulnerabilities have been discovered
in the Website META Language.

Background

Website META Language is a free and extensible Webdesigner's off-line
HTML generation toolkit for Unix.

Affected packages

-------------------------------------------------------------------
 Package       /   Vulnerable   /                       Unaffected
-------------------------------------------------------------------

1 dev-lang/wml < 2.0.11-r3 >= 2.0.11-r3

Description

Temporary files are handled insecurely in the files
wml_backend/p1_ipp/ipp.src, wml_contrib/wmg.cgi, and
wml_backend/p3_eperl/eperl_sys.c, allowing users to overwrite or delete
arbitrary files with the privileges of the user running the program.

Impact

Local users can exploit the insecure temporary file vulnerabilities via
symlink attacks to perform certain actions with escalated privileges.

Workaround

Restrict access to the temporary directory to trusted users only.

Resolution

All Website META Language users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-lang/wml-2.0.11-r3&quot;

References

[ 1 ] CVE-2008-0665
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0665
[ 2 ] CVE-2008-0666
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0666

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200803-23.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH3EVJuhJ+ozIKI5gRAjhXAJ9QOlvhQXkdO+xOUpf2XHnrRUf82QCfetQD
djft0/We2+F+f5zP0Uo4rI8=
=C1oY
-----END PGP SIGNATURE-----

Related

securityvulns 3
gentoo 1
osv 1
openvas 4
nessus 3
debian 2
prion 2
debiancve 2
cve 2
ubuntucve 2
securityvulns
securityvulns
[SECURITY] [DSA 1492-1] New wml packages fix denial of service
2008-02-12 00:00:00
WML symbolic links vulnerability
2008-02-12 00:00:00
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2008-03-17 00:00:00
gentoo
gentoo
Website META Language: Insecure temporary file usage
2008-03-15 00:00:00
osv
osv
wml
2008-02-10 00:00:00
openvas
openvas
Debian Security Advisory DSA 1492-1 (wml)
2008-02-15 00:00:00
Mandriva Update for wml MDVSA-2008:076 (wml)
2009-04-09 00:00:00
Gentoo Security Advisory GLSA 200803-23 (wml)
2008-09-24 00:00:00
nessus
nessus
GLSA-200803-23 : Website META Language: Insecure temporary file usage
2008-03-17 00:00:00
Debian DSA-1492-1 : wml - insecure temporary files
2008-02-11 00:00:00
Mandriva Linux Security Advisory : wml (MDVSA-2008:076)
2009-04-23 00:00:00
debian
debian
[SECURITY] [DSA 1492-1] New wml packages fix denial of service
2008-02-10 21:10:58
[SECURITY] [DSA 1492-2] New wml packages fix denial of service
2008-04-27 08:23:49
prion
prion
Design/Logic Flaw
2008-02-11 21:00:00
Code injection
2008-02-11 21:00:00
debiancve
debiancve
CVE-2008-0665
2008-02-11 21:00:00
CVE-2008-0666
2008-02-11 21:00:00
cve
cve
CVE-2008-0665
2008-02-11 21:00:00
CVE-2008-0666
2008-02-11 21:00:00
ubuntucve
ubuntucve
CVE-2008-0665
2008-02-11 00:00:00
CVE-2008-0666
2008-02-11 00:00:00
JSON
Related for SECURITYVULNS:DOC:19422
securityvulns3gentoo1osv1openvas4nessus3debian2prion2debiancve2cve2ubuntucve2