Michal Zalewski wrote: > I noticed that Slashdot has a nasty bug, which, I imagine is a fault of > Slashcode. On certain occassions, you can find a very interesting Referer > string for some visitiors of pages mentioned on this site. One of such > entries: > > 63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1" > 200 33541 "http://slashdot.org/?unickname=dXXg&passwd=rXXXX3"; > "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826" > [lcamtuf.coredump.cx] > > Go figure. This does not seem to be a consistent pattern, of thousands > hits from Slashdot only about 15-20 were like that today, so it seems like > a specific condition have to be met,... "That's not a bug, that's a feature!" Or at least a side effect, possibly unforseen, of an intentional feature. (Disclaimer: I am not a Slashcode developer, and have never looked at the Slashcode. However, I have had an account at Slashdot for about three years now.) Slashcode allows you to connect with "http://site/?unickname=my+nick&upasswd=passwd"; as a "quick login". It has been like this for years, and has always been documented as being "totally insecure, but very convenient". (Cite: log in to slashdot.org, then go to "/users.pl?op=edituser") I would guess there are two factors that account for your seeing this quite infrequently: (1) Many people don't use this "quick login" feature; (2) They have to click through to your site from the page they gave the "quick login" to (which is probably Slashdot's front page). These parameters won't be in the referer URL otherwise. So the scenario for duplicating this would be: (1) Connect to Slashdot using the "quick login"; (2) Click on an external link immediately, without any prior navigation within Slashdot itself. (Or navigate within Slashdot, then use the browser's "Back" button to go back to the initial page, then click on the external link.) (3) The external link gets your Slashdot username/password in the referer field. Craig
Attachment:
pgp00209.pgp
Description: PGP signature
