Re: slashdot / slashcode disclosing passwords

From: Craig Dickson (crdicat_private)
Date: Wed Sep 11 2002 - 13:39:52 PDT

Next message: Cloud Ass: "efstool slackware 7.1 local root exploit exploit included"

Previous message: Michal Zalewski: "slashdot / slashcode disclosing passwords"
In reply to: Michal Zalewski: "slashdot / slashcode disclosing passwords"
Next in thread: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michal Zalewski wrote:

> I noticed that Slashdot has a nasty bug, which, I imagine is a fault of
> Slashcode. On certain occassions, you can find a very interesting Referer
> string for some visitiors of pages mentioned on this site. One of such
> entries:
> 
> 63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1"
> 200 33541 "http://slashdot.org/?unickname=dXXg&passwd=rXXXX3"
> "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826"
> [lcamtuf.coredump.cx]
> 
> Go figure. This does not seem to be a consistent pattern, of thousands
> hits from Slashdot only about 15-20 were like that today, so it seems like
> a specific condition have to be met,...

"That's not a bug, that's a feature!" Or at least a side effect,
possibly unforseen, of an intentional feature. (Disclaimer: I am not a
Slashcode developer, and have never looked at the Slashcode. However, I
have had an account at Slashdot for about three years now.)

Slashcode allows you to connect with
"http://site/?unickname=my+nick&upasswd=passwd" as a "quick login". It
has been like this for years, and has always been documented as being
"totally insecure, but very convenient". (Cite: log in to slashdot.org,
then go to "/users.pl?op=edituser")

I would guess there are two factors that account for your seeing this
quite infrequently:

(1) Many people don't use this "quick login" feature;

(2) They have to click through to your site from the page they gave the
    "quick login" to (which is probably Slashdot's front page). These
    parameters won't be in the referer URL otherwise.

So the scenario for duplicating this would be:

(1) Connect to Slashdot using the "quick login";

(2) Click on an external link immediately, without any prior navigation
    within Slashdot itself. (Or navigate within Slashdot, then use the
    browser's "Back" button to go back to the initial page, then click
    on the external link.)

(3) The external link gets your Slashdot username/password in the
    referer field.

Craig

application/pgp-signature attachment: stored

Next message: Cloud Ass: "efstool slackware 7.1 local root exploit exploit included"
Previous message: Michal Zalewski: "slashdot / slashcode disclosing passwords"
In reply to: Michal Zalewski: "slashdot / slashcode disclosing passwords"
Next in thread: Jamie McCarthy: "Re: slashdot / slashcode disclosing passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 14:14:31 PDT