Bugtraq mailing list archives
Insecure handling of notes in Slashcode
From: "jesus lovejones" <brain_eater () zombieworld com>
Date: Sat, 8 Sep 2001 01:06:32 -0400
Security Advisory - September 9, 2001 plastic.com's Slashcode Overview: The implementation of private notes on plastic.com's Slashcode-driven site is insecure. Any logged in user can view any message in the system. Description: After logging into the site as a user, http://www.plastic.com/message.pl?op=read&m_id=9999 (where m_id= a given message's ID) will display the message, even if you weren't the user that the message was sent to. http://www.automatic-media.com/privacypolicy.html says "Automatic Media takes the matter of our users' privacy very seriously." Some of the user data exposed through this bug would argue otherwise. Versions Affected: Beats me. I searched Slashcode's bug tracker and didn't find any related entries; I don't know what version of Slashcode plastic.com's running and I don't know if notes is a feature of Slashcode or something they rolled in after the fact, so I can't say how endemic this bug is. Resolution: I e-mailed support () plastic com and editors () plastic com last Friday evening with this information, recommending that they purge the notes database and add a disclaimer on the messaging pages, and still haven't heard back from them. _________________________________________________________ Get your own FREE zombieworld.com Email account at... http://www.evilemail.com zombieworld.com - The dead come back to life, just for you. _________________________________________________________
Current thread:
- Insecure handling of notes in Slashcode jesus lovejones (Sep 08)
- Message not available
- Re: Insecure handling of notes in Slashcode Anuff Joey (Sep 08)
- Message not available
- <Possible follow-ups>
- Re: Insecure handling of notes in Slashcode Chris Nandor (Sep 09)