24 lines
1.2 KiB
Plaintext
24 lines
1.2 KiB
Plaintext
Operating systems have global directories where any user has write access. Those folders are mostly used as temporary storage areas like ``/tmp`` in Linux based systems. An application manipulating files from these folders is exposed to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted or deleted. This risk is even higher if the application runs with elevated permissions.
|
|
|
|
In the past, it has led to the following vulnerabilities:
|
|
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2012-2451[CVE-2012-2451]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2015-1838[CVE-2015-1838]
|
|
|
|
This rule raises an issue whenever it detects a hard-coded path to a publicly writable directory like ``/tmp`` (see examples bellow). It also detects access to environment variables that point to publicly writable directories, e.g., ``TMP`` and ``TMPDIR``.
|
|
|
|
* ``/tmp``
|
|
* ``/var/tmp``
|
|
* ``/usr/tmp``
|
|
* ``/dev/shm``
|
|
* ``/dev/mqueue``
|
|
* ``/run/lock``
|
|
* ``/var/run/lock``
|
|
* ``/Library/Caches``
|
|
* ``/Users/Shared``
|
|
* ``/private/tmp``
|
|
* ``/private/var/tmp``
|
|
* ``\Windows\Temp``
|
|
* ``\Temp``
|
|
* ``\TMP``
|