TOPIC: Clipboard in QNX Photon ADVISORY NR: 200201 DATE: Nov 13 2002 VULNERABILITY FOUND BY: 1; (One Semicolon) CONTACT INFORMATION: http://www.4os.org sat_private STATUS: QNX Software Systems Ltd was contacted on November 11, 2002. I received prompt replies and was assured that this was being sent through the proper channels to have this resolved. I was unable to receive a preliminary patch or a estimate as to how long this process would take. DESCRIPTION QNX Photon has a clipboard feature that enables you to cut and paste amongst other things. It has a security issue that allows anyone to access what is on the clipboard. ISSUE /var/clipboard/localhost/00000000/1.TEXT holds the information you cut or copied. The name localhost may be different depending on the hostname of the system QNX Photon is installed on. The 00000000 signifies the user ID in hex. By changing this value, you can change whose information you see. 1.TEXT holds the information. SYSTEM INFORMATION: QNX 6.2.0 Non-commercial edition on a x86 architecture was used. All patches and updates were applied at the time of writing. FIX Adjust permissions of the seperate user folders within /var/clipboard/localhost to only allow a individual to access their own clipboard.
This archive was generated by hypermail 2b30 : Sat Nov 23 2002 - 00:11:27 PST