Bugtraq mailing list archives

Re: slashdot / slashcode disclosing passwords

From: Craig Dickson <crdic () pacbell net>
Date: Wed, 11 Sep 2002 13:39:52 -0700

Michal Zalewski wrote:

I noticed that Slashdot has a nasty bug, which, I imagine is a fault of
Slashcode. On certain occassions, you can find a very interesting Referer
string for some visitiors of pages mentioned on this site. One of such
entries:

63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1"
200 33541 "http://slashdot.org/?unickname=dXXg&amp;passwd=rXXXX3";
"Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826"
[lcamtuf.coredump.cx]

Go figure. This does not seem to be a consistent pattern, of thousands
hits from Slashdot only about 15-20 were like that today, so it seems like
a specific condition have to be met,...


"That's not a bug, that's a feature!" Or at least a side effect,
possibly unforseen, of an intentional feature. (Disclaimer: I am not a
Slashcode developer, and have never looked at the Slashcode. However, I
have had an account at Slashdot for about three years now.)

Slashcode allows you to connect with
"http://site/?unickname=my+nick&upasswd=passwd"; as a "quick login". It
has been like this for years, and has always been documented as being
"totally insecure, but very convenient". (Cite: log in to slashdot.org,
then go to "/users.pl?op=edituser")

I would guess there are two factors that account for your seeing this
quite infrequently:

(1) Many people don't use this "quick login" feature;

(2) They have to click through to your site from the page they gave the
    "quick login" to (which is probably Slashdot's front page). These
    parameters won't be in the referer URL otherwise.

So the scenario for duplicating this would be:

(1) Connect to Slashdot using the "quick login";

(2) Click on an external link immediately, without any prior navigation
    within Slashdot itself. (Or navigate within Slashdot, then use the
    browser's "Back" button to go back to the initial page, then click
    on the external link.)

(3) The external link gets your Slashdot username/password in the
    referer field.

Craig

Attachment: _bin
Description:

Current thread:

slashdot / slashcode disclosing passwords Michal Zalewski (Sep 11)
- Re: slashdot / slashcode disclosing passwords Craig Dickson (Sep 11)
  - Re: slashdot / slashcode disclosing passwords Michal Zalewski (Sep 13)
- Re: slashdot / slashcode disclosing passwords Jamie McCarthy (Sep 18)