mailing list archives
Re: Tempfile vulnerabilities
From: foo () BLACKLISTED INTRANOVA NET (foo)
Date: Mon, 31 Jan 2000 21:53:29 +0000
DOH! DOH! DOH!
I meant to add a note about randomizing the tempfile names
but forgot to add it in the bugtraq email.
I apologize for being lame.
However, I still think that avoiding world writable temporary
directories in the first place is your best bet. Trying to
randomize your tempfile names alone is almost (now, before
hundreds of people start attacking my philosophy, i said, *almost*)
practising security through obscurity! I'm not saying that this
extra step should not be taken, but relying upon PRNGs alone
doesn't solve the problem, just makes it a bit harder.
Afterall, PRNGs utilize deterministic algorithms which simulate
randomness. As some people like to put it: due to the finite
state space of the program implementing the PRNG, its output
will eventually return to its original value. We could argue
from now till kingdom come on what is an acceptable period.