Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[SA-2002:01] Slashcode login vulnerability

From: Jamie McCarthy <jamie () mccarthy vg>
Date: Tue, 19 Feb 2002 10:38:25 -0500
[SA-2002:01] Slashcode login vulnerability


RISK FACTOR: HIGH


SYNOPSIS

Slash, the code that runs Slashdot and many other web sites, has a
cross-site scripting vulnerability in all versions prior to 2.2.5,
released February 7, 2002.

Users who have Javascript enabled, and who can be persuaded to click
on an attacker's URL on a victim Slash website, will send their
Slash cookie, with username and password, to the attacker's website.

The attacker can then take over the user's account.  If the user is
an administrator of the victim Slash website, the attacker can take
nearly full control of that site (post and delete stories, edit
users, post as other users, etc.).


VULNERABLE SYSTEMS

Any Slash system running code prior to 2.2.5 (released February 7,
2002).  This includes 1.x and 2.0.x as well as 2.2.0 through 2.2.4.
Sites using the development code from CVS since February 7 are
unaffected.


RESOLUTION

Slash 2.1 and 2.2 sites should upgrade to Slash 2.2.5 immediately.
Systems running development code from CVS should run cvs update and
install the most recent code.

Slash 1.0.x and 2.0.x are no longer supported and there will not
be further releases.  Sites running these versions should apply
the patches at this URL:

  http://slashcode.com/article.pl?sid=02/02/07/1624221

Further, site administrators should change their passwords, and
check the "seclev" field in the users table to make sure no one has
a seclev greater to or equal than "100" who should not have
administrator privileges:

  mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100;

That should list only users with some administrator privileges.

As always, Slash site administrators should subscribe to the
slashcode-general or slashcode-announce mailing lists, to keep up to
date on the latest releases and security notices.  Subscription
information is on the Slashcode site at <http://slashcode.com/>.


CREDITS

Hiromitsu Takagi discovered the vulnerability and alerted the Slash
programming team with a proof of concept.  Slash 2.2.5 was released
the next morning (U.S. time), twelve hours later.


CONTACT INFORMATION

The Slash website is at <http://slashcode.com/>.

Issues regarding the Slash 2.2.5 release specifically may be sent
to Jamie McCarthy, jamie () osdn com.

Any security issues relating to OSDN software, including Slash,
may be sent to security () osdn com.
--
 Jamie McCarthy
 jamie () mccarthy vg
Previous By Date Next
Previous By Thread Next

Current thread: