[SA-2002:01] Slashcode login vulnerability RISK FACTOR: HIGH SYNOPSIS Slash, the code that runs Slashdot and many other web sites, has a cross-site scripting vulnerability in all versions prior to 2.2.5, released February 7, 2002. Users who have Javascript enabled, and who can be persuaded to click on an attacker's URL on a victim Slash website, will send their Slash cookie, with username and password, to the attacker's website. The attacker can then take over the user's account. If the user is an administrator of the victim Slash website, the attacker can take nearly full control of that site (post and delete stories, edit users, post as other users, etc.). VULNERABLE SYSTEMS Any Slash system running code prior to 2.2.5 (released February 7, 2002). This includes 1.x and 2.0.x as well as 2.2.0 through 2.2.4. Sites using the development code from CVS since February 7 are unaffected. RESOLUTION Slash 2.1 and 2.2 sites should upgrade to Slash 2.2.5 immediately. Systems running development code from CVS should run cvs update and install the most recent code. Slash 1.0.x and 2.0.x are no longer supported and there will not be further releases. Sites running these versions should apply the patches at this URL: http://slashcode.com/article.pl?sid=02/02/07/1624221 Further, site administrators should change their passwords, and check the "seclev" field in the users table to make sure no one has a seclev greater to or equal than "100" who should not have administrator privileges: mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100; That should list only users with some administrator privileges. As always, Slash site administrators should subscribe to the slashcode-general or slashcode-announce mailing lists, to keep up to date on the latest releases and security notices. Subscription information is on the Slashcode site at <http://slashcode.com/>. CREDITS Hiromitsu Takagi discovered the vulnerability and alerted the Slash programming team with a proof of concept. Slash 2.2.5 was released the next morning (U.S. time), twelve hours later. CONTACT INFORMATION The Slash website is at <http://slashcode.com/>. Issues regarding the Slash 2.2.5 release specifically may be sent to Jamie McCarthy, jamie@osdn.com. Any security issues relating to OSDN software, including Slash, may be sent to security@osdn.com. -- Jamie McCarthy jamie@mccarthy.vg
