26 lines
1.3 KiB
Plaintext
26 lines
1.3 KiB
Plaintext
Operating systems have global directories where any user has write access. Those folders are mostly used as temporary storage areas like ``++/tmp++`` in Linux based systems. An application manipulating files from these folders is exposed to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted or deleted. This risk is even higher if the application runs with elevated permissions.
|
|
|
|
|
|
In the past, it has led to the following vulnerabilities:
|
|
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2012-2451[CVE-2012-2451]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2015-1838[CVE-2015-1838]
|
|
|
|
This rule raises an issue whenever it detects a hard-coded path to a publicly writable directory like ``++/tmp++`` (see examples bellow). It also detects access to environment variables that point to publicly writable directories, e.g., ``++TMP++`` and ``++TMPDIR++``.
|
|
|
|
|
|
* ``++/tmp++``
|
|
* ``++/var/tmp++``
|
|
* ``++/usr/tmp++``
|
|
* ``++/dev/shm++``
|
|
* ``++/dev/mqueue++``
|
|
* ``++/run/lock++``
|
|
* ``++/var/run/lock++``
|
|
* ``++/Library/Caches++``
|
|
* ``++/Users/Shared++``
|
|
* ``++/private/tmp++``
|
|
* ``++/private/var/tmp++``
|
|
* ``++\Windows\Temp++``
|
|
* ``++\Temp++``
|
|
* ``++\TMP++``
|