[SA-2002:01] Slashcode login vulnerability

From: Jamie McCarthy (jamieat_private)
Date: Tue Feb 19 2002 - 07:38:25 PST

Next message: David LeBlanc: "ITS4 from Cigital flawed"

Previous message: Irib: "Security BugWare : Alcatel 4400 PBX hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[SA-2002:01] Slashcode login vulnerability


RISK FACTOR: HIGH


SYNOPSIS

Slash, the code that runs Slashdot and many other web sites, has a
cross-site scripting vulnerability in all versions prior to 2.2.5,
released February 7, 2002.

Users who have Javascript enabled, and who can be persuaded to click
on an attacker's URL on a victim Slash website, will send their
Slash cookie, with username and password, to the attacker's website.

The attacker can then take over the user's account.  If the user is
an administrator of the victim Slash website, the attacker can take
nearly full control of that site (post and delete stories, edit
users, post as other users, etc.).


VULNERABLE SYSTEMS

Any Slash system running code prior to 2.2.5 (released February 7,
2002).  This includes 1.x and 2.0.x as well as 2.2.0 through 2.2.4.
Sites using the development code from CVS since February 7 are
unaffected.


RESOLUTION

Slash 2.1 and 2.2 sites should upgrade to Slash 2.2.5 immediately.
Systems running development code from CVS should run cvs update and
install the most recent code.

Slash 1.0.x and 2.0.x are no longer supported and there will not
be further releases.  Sites running these versions should apply
the patches at this URL:

  http://slashcode.com/article.pl?sid=02/02/07/1624221

Further, site administrators should change their passwords, and
check the "seclev" field in the users table to make sure no one has
a seclev greater to or equal than "100" who should not have
administrator privileges:

  mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100;

That should list only users with some administrator privileges.

As always, Slash site administrators should subscribe to the
slashcode-general or slashcode-announce mailing lists, to keep up to
date on the latest releases and security notices.  Subscription
information is on the Slashcode site at <http://slashcode.com/>.


CREDITS

Hiromitsu Takagi discovered the vulnerability and alerted the Slash
programming team with a proof of concept.  Slash 2.2.5 was released
the next morning (U.S. time), twelve hours later.


CONTACT INFORMATION

The Slash website is at <http://slashcode.com/>.

Issues regarding the Slash 2.2.5 release specifically may be sent
to Jamie McCarthy, jamieat_private

Any security issues relating to OSDN software, including Slash,
may be sent to securityat_private
--
 Jamie McCarthy
 jamieat_private

Next message: David LeBlanc: "ITS4 from Cigital flawed"
Previous message: Irib: "Security BugWare : Alcatel 4400 PBX hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 11:54:07 PST