Creation of Temporary File in Directory with Incorrect Permissions |
Weakness ID: 379 (Weakness Base) | Status: Incomplete |
Description Summary
Extended Description
On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached.
Scope | Effect |
---|---|
Confidentiality | Since the file is visible and the application which is using the temp file could be known, the attacker has gained information about what the user is doing at that time. |
Example 1
In cygwin and some older unixes one can ls /tmp and see that this temp file exists.
This temp file is readable by all users.
Phase: Requirements Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible. |
Phase: Implementation Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories. |
Phase: Implementation Avoid using vulnerable temp file functions. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 376 | Temporary File Issues | Development Concepts (primary)699 |
ChildOf | Weakness Base | 377 | Insecure Temporary File | Research Concepts (primary)1000 |
ChildOf | Category | 743 | CERT C Secure Coding Section 09 - Input Output (FIO) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Guessed or visible temporary file | ||
CERT C Secure Coding | FIO15-C | Ensure that file operations are performed in a secure directory | |
CERT C Secure Coding | FIO43-C | Do not create temporary files in shared directories |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes, Potential Mitigations | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Guessed or Visible Temporary File | |||
2009-05-27 | Creation of Temporary File in Directory with Insecure Permissions | |||