[prev in list] [next in list] [prev in thread] [next in thread]
List: slashcode-general
Subject: [Slashcode-general] SECURITY: Two Slash Data Sanitization Security
From: Chris Nandor <pudge () slashdot ! org>
Date: 2008-06-09 21:17:46
Message-ID: 0908616B-1316-426C-95EA-CA0665730492 () slashdot ! org
[Download RAW message or body]
Two longstanding security issues were found and fixed in Slash, the
code that powers Slashdot (http://slashdot.org/), in May 2008. The
second of the two -- found and reported to us by Scott R. White <swhite@securestate.com
>, of http://www.securestate.com/ -- is easily exploitable and must
be fixed immediately on all Slash 2.x sites.
The first, found and fixed on May 1, was a problem with filtering
certain types of form data: form inputs where the form name is matched
against a regex. At some point years ago, during refactoring, the
code was changed to use a named variable, instead of the default
variable, so the matching was not actually being done, and the
corresponding values were not being properly sanitized.
http://github.com/scc/slash/commit/cf5866dca5f4670a947795926040551306790998
No known exploits -- either for the database, or cross-site scripting
(XSS) -- exist for this issue, but though a code review was performed
and a way was not found to abuse it, that doesn't mean it couldn't be
abused.
The second issue, found and fixed on May 23, is similar: the code to
properly filter the "sid" of a story was not anchored properly, and
additional data could be tacked onto the value and left unsanitized.
Thanks to Scott R. White for alerting us to the problem.
http://github.com/scc/slash/commit/fda1c295ac0f45938e48f57f40605cb2dc8033cc
As with the above issue, no known database exploits exist for this
issue, HOWEVER it is easily exploitable with standard XSS techniques,
and all Slash sites MUST either UPDATE to the latest code, or use the
patch at the URL above to manually fix their site.
Both issues have existed for years. If you are on Slash 2.x, you are
almost certainly affected.
We will be making a more public announcement on the announce list and
the web site next week, so this is your heads-up to get it fixed.
Contact me directly, or reply here on the list, if you have any
questions.
As always (not that this happens often!), please contact us about
security matters at security@slashcode.com, and feel free to join the
low-traffic slashcode-general mailing list to keep updated on security-
related matters.
https://lists.sourceforge.net/lists/listinfo/slashcode-general
--
Chris Nandor pudge@slashdot.org http://slashdot.org/
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Slashcode-general mailing list
Slashcode-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/slashcode-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic