Bug 1165719 (CVE-2020-10237) - VUL-1: CVE-2020-10237: froxlor: tmp files world readable until permissions are set, exposing sensitive information
Summary: VUL-1: CVE-2020-10237: froxlor: tmp files world readable until permissions ar...
Status: RESOLVED WONTFIX
Alias: CVE-2020-10237
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Andrej Semen
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-04 16:46 UTC by Johannes Segitz
Modified: 2020-03-09 15:14 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2020-03-04 16:46:04 UTC 
The installer doesn't set proper permissions on tmp files right away. Line numbers are from current git master, but it's also present in froxlor in Factory

  342                         chmod($userdata_file, 0440);
  343                 } elseif ($fp = @fopen('/tmp/userdata.inc.php', 'w')) {
  344                         $result = @fputs($fp, $userdata, strlen($userdata));
  345                         @fclose($fp);
  346                         $content .= $this->_status_message('orange', $this->_lng['install']['creating_configfile_temp']);
  347                         chmod('/tmp/userdata.inc.php', 0440);

  On my system that means that the file is created with 644 permissions and
  is world readable for a while
  -rw-r--r--  1 wwwrun   www    391 Mar  4 17:03 userdata.inc.php

  Proper permissions should be set before the content is written.
Comment 2 Johannes Segitz 2020-03-09 15:14:09 UTC 
This is CVE-2020-10237. Nothing to do for SLE