Vigil@nce: GNOME Evolution, information reading
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
Access rights of the /.evolution directory allows all users to
read its content.
Severity: 1/4
Consequences: data reading
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 22/05/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The GNOME Evolution messaging client stores preferences and emails
of each user in his home directory, under the /.evolution
directory.
However, this directory is created by default with the 0755 mode,
which means that it can be read by all users on the system.
If the victim did not restrict the access to his home directory
(0700 for example), a local attacker can therefore read his emails.
CHARACTERISTICS
Identifiers: 498648, 526409, 581604, CVE-2009-1631,
VIGILANCE-VUL-8729
http://vigilance.fr/vulnerability/GNOME-Evolution-information-reading-8729