COMMAND

    J-Pilot

SYSTEMS AFFECTED

    J-Pilot

PROBLEM

    Weston Pawlowski found  following.  J-Pilot  automatically creates
    a  ".jpilot"  directory  in  the  user's  home  directory to store
    preferences and  backed up  PalmOS device  data.   The permissions
    for this directory  are mode 755,  and files in  the directory are
    mode  644;  this  allows  anyone  with  only minimal access to the
    user's home directory to also access thier PalmOS device's  backup
    data, including private records.

    Because ".jpilot"  is often  hidden due  to the  leading '.', this
    insecurity is often unnoticed.  This is a big concern for  J-Pilot
    users  because  it  is  common  for  home  directories to be world
    executable,  often  due  to  a  "public_html"  directory  for HTTP
    content which requires  the user's home  directory to be  at least
    world executable.

    So in summary, if  there is a user  named "joe" who uses  J-Pilot,
    any user on the system  could type "cd +AH4-joe/.jpilot" and  read
    all  of  joe's  PalmOS  data  including  private records.  This is
    dependant on joe's home  directory being world executable  or not,
    but it often is.

    The good news  is that it's  probably not very  common for someone
    to sync their PalmOS device on  a system that many, if any,  other
    people have shell access to.  But, if this situation does  happen,
    the  vulnerable  user  is  likely  to  be the owner of the machine
    (since he has  to be local),  and there's the  possibility that he
    may keep a  password list on  his PalmOS device.   In which  case,
    any user could get  the system admin's passwords,  which obviously
    may include the system's root password.

SOLUTION

    The fix is to simply  type "chmod 700 +AH4-/.jpilot"   J-Pilot has
    always  used  the  pre  set  umask  when  creating directories and
    files,  therefore  they  never  considered  this  to be a security
    risk.  It  is up to  the system administrator  or the user  to set
    the  umask  to  his/her  liking.   Setting  the umask to something
    vulnerable is  a general  system administration  security risk and
    not a risk caused  by the applications that  read it and abide  by
    it.

    The simple solution in this case is for J-Pilot to write files  in
    mode 600, as probably every user everywhere will want.

    For Linux Mandrake:

        Linux-Mandrake 7.2: 7.2/RPMS/jpilot-0.98.1-7.1mdk.i586.rpm
                            7.2/RPMS/jpilot-plugin-devel-0.98.1-7.1mdk.i586.rpm
                            7.2/SRPMS/jpilot-0.98.1-7.1mdk.src.rpm