'[Slashcode-general] SECURITY: Two Slash Data Sanitization Security'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       slashcode-general
Subject:    [Slashcode-general] SECURITY: Two Slash Data Sanitization Security
From:       Chris Nandor <pudge () slashdot ! org>
Date:       2008-06-09 21:17:46
Message-ID: 0908616B-1316-426C-95EA-CA0665730492 () slashdot ! org
[Download RAW message or body]

Two longstanding security issues were found and fixed in Slash, the  
code that powers Slashdot (http://slashdot.org/), in May 2008.  The  
second of the two -- found and reported to us by Scott R. White <swhite@securestate.com 
 >, of http://www.securestate.com/ -- is easily exploitable and must  
be fixed immediately on all Slash 2.x sites.



The first, found and fixed on May 1, was a problem with filtering  
certain types of form data: form inputs where the form name is matched  
against a regex.  At some point years ago, during refactoring, the  
code was changed to use a named variable, instead of the default  
variable, so the matching was not actually being done, and the  
corresponding values were not being properly sanitized.

  http://github.com/scc/slash/commit/cf5866dca5f4670a947795926040551306790998

No known exploits -- either for the database, or cross-site scripting  
(XSS) -- exist for this issue, but though a code review was performed  
and a way was not found to abuse it, that doesn't mean it couldn't be  
abused.



The second issue, found and fixed on May 23, is similar: the code to  
properly filter the "sid" of a story was not anchored properly, and  
additional data could be tacked onto the value and left unsanitized.   
Thanks to Scott R. White for alerting us to the problem.

  http://github.com/scc/slash/commit/fda1c295ac0f45938e48f57f40605cb2dc8033cc

As with the above issue, no known database exploits exist for this  
issue, HOWEVER it is easily exploitable with standard XSS techniques,  
and all Slash sites MUST either UPDATE to the latest code, or use the  
patch at the URL above to manually fix their site.



Both issues have existed for years.  If you are on Slash 2.x, you are  
almost certainly affected.

We will be making a more public announcement on the announce list and  
the web site next week, so this is your heads-up to get it fixed.   
Contact me directly, or reply here on the list, if you have any  
questions.


As always (not that this happens often!), please contact us about  
security matters at security@slashcode.com, and feel free to join the  
low-traffic slashcode-general mailing list to keep updated on security- 
related matters.

	https://lists.sourceforge.net/lists/listinfo/slashcode-general

-- 
Chris Nandor             pudge@slashdot.org       http://slashdot.org/


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Slashcode-general mailing list
Slashcode-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/slashcode-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic