24 lines
1.3 KiB
Plaintext
24 lines
1.3 KiB
Plaintext
Operating systems have global directories where any user have write access. Those folders are mostly used as temporary storage areas like <code>/tmp</code> in Linux based systems. An application manipulating files from these folders is exposed to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted or deleted. This risk is even higher if the application runs with elevated permissions.
|
|
|
|
In the past, it has led to the following vulnerabilities:
|
|
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2012-2451[CVE-2012-2451]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2015-1838[CVE-2015-1838]
|
|
|
|
This rule raises an issue whenever it detects a hard-coded path to a publicly writable directory like <code>/tmp</code> (see complete list bellow). It also detects access to <code>TMP</code> and <code>TMPDIR</code> environment variables.
|
|
|
|
* <code>/tmp</code>
|
|
* <code>/var/tmp</code>
|
|
* <code>/usr/tmp</code>
|
|
* <code>/dev/shm</code>
|
|
* <code>/dev/mqueue</code>
|
|
* <code>/run/lock</code>
|
|
* <code>/var/run/lock</code>
|
|
* <code>/Library/Caches</code>
|
|
* <code>/Users/Shared</code>
|
|
* <code>/private/tmp</code>
|
|
* <code>/private/var/tmp</code>
|
|
* <code>\Windows\Temp</code>
|
|
* <code>\Temp</code>
|
|
* <code>\TMP</code>
|