Home page logo

bugtraq logo Bugtraq mailing list archives

[SA-2002:01] Slashcode login vulnerability
From: Jamie McCarthy <jamie () mccarthy vg>
Date: Tue, 19 Feb 2002 10:38:25 -0500

[SA-2002:01] Slashcode login vulnerability



Slash, the code that runs Slashdot and many other web sites, has a
cross-site scripting vulnerability in all versions prior to 2.2.5,
released February 7, 2002.

Users who have Javascript enabled, and who can be persuaded to click
on an attacker's URL on a victim Slash website, will send their
Slash cookie, with username and password, to the attacker's website.

The attacker can then take over the user's account.  If the user is
an administrator of the victim Slash website, the attacker can take
nearly full control of that site (post and delete stories, edit
users, post as other users, etc.).


Any Slash system running code prior to 2.2.5 (released February 7,
2002).  This includes 1.x and 2.0.x as well as 2.2.0 through 2.2.4.
Sites using the development code from CVS since February 7 are


Slash 2.1 and 2.2 sites should upgrade to Slash 2.2.5 immediately.
Systems running development code from CVS should run cvs update and
install the most recent code.

Slash 1.0.x and 2.0.x are no longer supported and there will not
be further releases.  Sites running these versions should apply
the patches at this URL:


Further, site administrators should change their passwords, and
check the "seclev" field in the users table to make sure no one has
a seclev greater to or equal than "100" who should not have
administrator privileges:

  mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100;

That should list only users with some administrator privileges.

As always, Slash site administrators should subscribe to the
slashcode-general or slashcode-announce mailing lists, to keep up to
date on the latest releases and security notices.  Subscription
information is on the Slashcode site at <http://slashcode.com/>.


Hiromitsu Takagi discovered the vulnerability and alerted the Slash
programming team with a proof of concept.  Slash 2.2.5 was released
the next morning (U.S. time), twelve hours later.


The Slash website is at <http://slashcode.com/>.

Issues regarding the Slash 2.2.5 release specifically may be sent
to Jamie McCarthy, jamie () osdn com 

Any security issues relating to OSDN software, including Slash,
may be sent to security () osdn com 
 Jamie McCarthy
 jamie () mccarthy vg

  By Date           By Thread  

Current thread:
  • [SA-2002:01] Slashcode login vulnerability Jamie McCarthy (Feb 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]