Bugtraq mailing list archives
Re: slashdot / slashcode disclosing passwords
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Wed, 11 Sep 2002 17:37:02 -0400 (EDT)
On Wed, 11 Sep 2002, Craig Dickson wrote:
Slashcode allows you to connect with "http://site/?unickname=my+nick&upasswd=passwd" as a "quick login". It has been like this for years, and has always been documented as being "totally insecure, but very convenient". (Cite: log in to slashdot.org, then go to "/users.pl?op=edituser")
From my conversation with Slashdot folks, it seems that it shouldn't be
this way. The more reasonable way to implement it is to immediately refresh an URL to some "safe" location (and give user a cookie or put some extra information in returned POST forms). Putting a solution that is so grossly insecure is insane a bit ;-) -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- slashdot / slashcode disclosing passwords Michal Zalewski (Sep 11)
- Re: slashdot / slashcode disclosing passwords Craig Dickson (Sep 11)
- Re: slashdot / slashcode disclosing passwords Michal Zalewski (Sep 13)
- Re: slashdot / slashcode disclosing passwords Jamie McCarthy (Sep 18)
- Re: slashdot / slashcode disclosing passwords Craig Dickson (Sep 11)