This is a problem, indeed. Worse yet, there's only a small chance we can fix it anytime soon, seeing as Plastic is currently without either an engineer to make a fix or even access to our servers. This inaccessibility, which is a long and unsurprisingly stupid story (involving unpaid bills, natch), will with any luck improve in the next week, but until then, our choices are bad and worse. Bad, in that we have a severe security flaw that can't be fixed at the moment. Or worse, that we may have a severe security flaw that someone could easily publicize (perhaps this has already happened?), giving all idle hands ample time to casually root around through peoples' mail. I've cc:'d Plastic's ex-engineer, Jon Phelps, in the hopes that he might be able to prevail on our long-unpaid (but still hosting!) ISP to give him access and patch this up (assuming that he's willing and able.) My fingers are tightly crossed. Any advice on handling this would be welcome in the interim. I'm tempted to post it as a story, urging people to delete any sensitive correspondence, but again, my fear is that publicizing it without being able to fix it will just heighten abuse. And since only a fraction of the people effected would likely see the post, there'd be ample time for people to engage in mischief, should they be so inclined. Hell, I don't even know whether "deleting" messages would actually make them inaccessible. Uggh, I feel ill. -joey anuff volunteer editor, Plastic ----- Original Message ----- From: "Kath" <kath@kathweb.net> To: <brain_eater@zombieworld.com>; <bugtraq@securityfocus.com> Cc: <support@plastic.com>; <editors@plastic.com> Sent: Saturday, September 08, 2001 3:24 PM Subject: Re: Insecure handling of notes in Slashcode > They should just do a random 10-16 char string and then md5 that to do an > id... simple fix. > > - k > > > > ----- Original Message ----- > From: "jesus lovejones" <brain_eater@zombieworld.com> > To: <bugtraq@securityfocus.com> > Sent: Saturday, September 08, 2001 1:06 AM > Subject: Insecure handling of notes in Slashcode > > > > Security Advisory - September 9, 2001 > > plastic.com's Slashcode > > > > Overview: > > The implementation of private notes on plastic.com's Slashcode-driven site > is insecure. Any logged in user can view any message in the system. > > > > Description: > > After logging into the site as a user, > http://www.plastic.com/message.pl?op=read&m_id=9999 (where m_id= a given > message's ID) will display the message, even if you weren't the user that > the message was sent to. > > http://www.automatic-media.com/privacypolicy.html says "Automatic Media > takes the matter of our users' privacy very seriously." Some of the user > data exposed through this bug would argue otherwise. > > > > Versions Affected: > > Beats me. I searched Slashcode's bug tracker and didn't find any related > entries; I don't know what version of Slashcode plastic.com's running and I > don't know if notes is a feature of Slashcode or something they rolled in > after the fact, so I can't say how endemic this bug is. > > > > Resolution: > > I e-mailed support@plastic.com and editors@plastic.com last Friday evening > with this information, recommending that they purge the notes database and > add a disclaimer on the messaging pages, and still haven't heard back from > them. > > > > > > _________________________________________________________ > > Get your own FREE zombieworld.com Email account at... > > http://www.evilemail.com > > > > zombieworld.com - The dead come back to life, just for you. > > _________________________________________________________ > > > > > >
