[SA-2002:00] Slashcode login vulunerability
RISK FACTOR: HIGH
Slash, the code that runs Slashdot and many other web sites, has a
vulnerability in recent versions that allows any logged-in user to
log in as any other user.
This allows users to take nearly full control of a Slash system (post
and delete stories, posting stories, edit users, post as other users,
etc., and do anything that a Slash user can do) by logging in to
an adminstrator's Slash account.
Any system running Slash 2.1.x (development versions for 2.2), 2.2.0,
2.2.1, or 2.2.2, and sites using the development code from CVS. Slash
2.0.x and previous are unaffected.
Slash 2.2.3 should be installed for all Slash 2.1 and 2.2 sites.
Users of the development code from CVS should run cvs update and install
the most recent code.
In the meantime, if upgrading is not possible or will not happen
immediately, site administrators should either shut down the web site
or disable admin.pl and users.pl by moving them elsewhere or disabling
the execution bits (Apache may need to be restarted following this).
Further, site administrators should change their passwords, and check
the "seclev" field in the users table to make sure no one has a seclev
greater to or equal than "100" who should not have administrator
mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100;
That should list only users with some administrator privileges.
Site administrators should subscribe to the slashcode-general or
slashcode-announce mailing lists, to keep up to date on the latest
releases and security notices. Subscription information is on the
Slashcode site at http://slashcode.com/.
Daniel Bowers <daniel@...> found and exploited the bug, and
notified the Slash team. The Slash team immediately patched the code
and released Slash 2.2.3 three hours after notification.
Chris Nandor, pudge@...