🟠 [HIGH] CB-007: World-Writable FileDrop Directory #16

New issue

Open

opened 2026-02-20 08:50:03 +00:00 by Alpha · 0 comments

Alpha commented

2026-02-20 08:50:03 +00:00

Security Finding from Audit

Parent issue: #1

Severity

HIGH 🟠

CVSS Score

N/A

CWE

CWE-732 (Incorrect Permission Assignment for Critical Resource)

Location

filedrop/plugin.py, start(), line: os.chmod(..., 0o777)

Description

The FileDrop plugin sets the base directory (/tmp/filedrop by default) to world-writable (mode 0o777). Any local user can inject messages, impersonate agents, or tamper with message files.

Recommendation

Use group-based permissions (e.g., a cobot group). Never use mode 0o777 for directories containing trusted data.

From: Cobot Whitebox Security Audit (February 14, 2026)
Finding ID: CB-007

## Security Finding from Audit > Parent issue: #1 ### Severity **HIGH** 🟠 ### CVSS Score N/A ### CWE CWE-732 (Incorrect Permission Assignment for Critical Resource) ### Location `filedrop/plugin.py, start(), line: os.chmod(..., 0o777)` --- ### Description The FileDrop plugin sets the base directory (`/tmp/filedrop` by default) to world-writable (mode `0o777`). Any local user can inject messages, impersonate agents, or tamper with message files. --- ### Recommendation Use group-based permissions (e.g., a `cobot` group). Never use mode `0o777` for directories containing trusted data. --- *From: Cobot Whitebox Security Audit (February 14, 2026)* *Finding ID: CB-007*