From: Chris Nandor <pudge@sl...> - 2008-06-09 21:17:52
Two longstanding security issues were found and fixed in Slash, the
code that powers Slashdot (http://slashdot.org/), in May 2008. The
second of the two -- found and reported to us by Scott R. White <swhite@...
>, of http://www.securestate.com/ -- is easily exploitable and must
be fixed immediately on all Slash 2.x sites.
The first, found and fixed on May 1, was a problem with filtering
certain types of form data: form inputs where the form name is matched
against a regex. At some point years ago, during refactoring, the
code was changed to use a named variable, instead of the default
variable, so the matching was not actually being done, and the
corresponding values were not being properly sanitized.
No known exploits -- either for the database, or cross-site scripting
(XSS) -- exist for this issue, but though a code review was performed
and a way was not found to abuse it, that doesn't mean it couldn't be
The second issue, found and fixed on May 23, is similar: the code to
properly filter the "sid" of a story was not anchored properly, and
additional data could be tacked onto the value and left unsanitized.
Thanks to Scott R. White for alerting us to the problem.
As with the above issue, no known database exploits exist for this
issue, HOWEVER it is easily exploitable with standard XSS techniques,
and all Slash sites MUST either UPDATE to the latest code, or use the
patch at the URL above to manually fix their site.
Both issues have existed for years. If you are on Slash 2.x, you are
almost certainly affected.
We will be making a more public announcement on the announce list and
the web site next week, so this is your heads-up to get it fixed.
Contact me directly, or reply here on the list, if you have any
As always (not that this happens often!), please contact us about
security matters at security@..., and feel free to join the
low-traffic slashcode-general mailing list to keep updated on security-
Chris Nandor pudge@... http://slashdot.org/