Security Advisory - September 9, 2001 plastic.com's Slashcode Overview: The implementation of private notes on plastic.com's Slashcode-driven site is insecure. Any logged in user can view any message in the system. Description: After logging into the site as a user, http://www.plastic.com/message.pl?op=read&m_id=9999 (where m_id= a given message's ID) will display the message, even if you weren't the user that the message was sent to. http://www.automatic-media.com/privacypolicy.html says "Automatic Media takes the matter of our users' privacy very seriously." Some of the user data exposed through this bug would argue otherwise. Versions Affected: Beats me. I searched Slashcode's bug tracker and didn't find any related entries; I don't know what version of Slashcode plastic.com's running and I don't know if notes is a feature of Slashcode or something they rolled in after the fact, so I can't say how endemic this bug is. Resolution: I e-mailed supportat_private and editorsat_private last Friday evening with this information, recommending that they purge the notes database and add a disclaimer on the messaging pages, and still haven't heard back from them. _________________________________________________________ Get your own FREE zombieworld.com Email account at... http://www.evilemail.com zombieworld.com - The dead come back to life, just for you. _________________________________________________________
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 00:46:20 PDT