CVE-2008-4938 Information

Description

aegis 4.24 and aegis-web 4.24 allow local users to overwrite arbitrary files via a symlink attack on (a) /tmp/ (b) /tmp/.intro (c) /tmp/aegis..ae (d) /tmp/aegis. (e) /tmp/aegis..1 (f) /tmp/aegis..2 (g) /tmp/aegis..log and (h) /tmp/aegis..out temporary files related to the (1) bng_dvlpd.sh (2) bng_rvwd.sh (3) awt_dvlp.sh (4) awt_intgrtn.sh and (5) aegis.cgi scripts.

Reference

http://bugs.debian.org/496400 http://bugs.debian.org/496402 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496402 http://dev.gentoo.org/~rbu/security/debiantemp/aegis http://dev.gentoo.org/~rbu/security/debiantemp/aegis-web http://secunia.com/advisories/31970 http://sourceforge.net/tracker/index.php?func=detail&aid=2079025&group_id=224&atid=100224 http://uvw.ru/report.lenny.txt http://www.openwall.com/lists/oss-security/2008/10/30/2 http://www.securityfocus.com/bid/30883 https://bugs.gentoo.org/show_bug.cgi?id=235770 https://exchange.xforce.ibmcloud.com/vulnerabilities/44835