Author: Paul Szabo < psz@maths.usyd.edu.au > Recently I reported that, similarly to the recently discussed tcsh vulnerability, the Bourne shell /bin/sh creates temporary files in an insecure way: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.N AA19716@milan.maths.usyd.edu.au At the time I also tested the Korn shell ksh, and it seemed safe... but no, ksh is in fact also vulnerable. (Is this all shells? We have seen tcsh, bash, sh and now ksh fail...) Demonstration (ksh is vulnerable if the size of silly.1 is changed): #!/bin/ksh -x touch /tmp/silly.1 ln -s /tmp/silly.1 /tmp/sh$$.1 ls -l /tmp/silly.* /tmp/sh$$.* cat <