Bugtraq mailing list archives
Re: Tempfile vulnerabilities
From: foo () BLACKLISTED INTRANOVA NET (foo)
Date: Mon, 31 Jan 2000 21:53:29 +0000
DOH! DOH! DOH! I meant to add a note about randomizing the tempfile names but forgot to add it in the bugtraq email. I apologize for being lame. However, I still think that avoiding world writable temporary directories in the first place is your best bet. Trying to randomize your tempfile names alone is almost (now, before hundreds of people start attacking my philosophy, i said, *almost*) practising security through obscurity! I'm not saying that this extra step should not be taken, but relying upon PRNGs alone doesn't solve the problem, just makes it a bit harder. Afterall, PRNGs utilize deterministic algorithms which simulate randomness. As some people like to put it: due to the finite state space of the program implementing the PRNG, its output will eventually return to its original value. We could argue from now till kingdom come on what is an acceptable period. - John
Current thread:
- Re: Tempfile vulnerabilities Dug Song (Jan 31)
- <Possible follow-ups>
- Re: Tempfile vulnerabilities foo (Jan 31)
- Re: Tempfile vulnerabilities Grant Taylor (Jan 31)
- Re: Tempfile vulnerabilities Theo de Raadt (Feb 01)
- Microsoft Security Bulletin (MS00-007) Aleph One (Feb 01)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Theo de Raadt (Feb 02)
- Evil Cookies. Iain Wade (Feb 02)
- UPDATE: Sygate 3.11 Port 7323 Telnet Hole jalerta () nestworks com (Feb 03)
- Re: Evil Cookies. Joachim Feise (Feb 03)
- Re: Evil Cookies. Jon Paul, Nollmann (Feb 05)
- Reminder: BOF on Distributed DoS, San Jose 2/7/00 David Kennedy CISSP (Feb 06)