From: Chris N. <pu...@sl...> - 2008-06-09 21:17:52
|
Two longstanding security issues were found and fixed in Slash, the code that powers Slashdot (http://slashdot.org/), in May 2008. The second of the two -- found and reported to us by Scott R. White <sw...@se... >, of http://www.securestate.com/ -- is easily exploitable and must be fixed immediately on all Slash 2.x sites. The first, found and fixed on May 1, was a problem with filtering certain types of form data: form inputs where the form name is matched against a regex. At some point years ago, during refactoring, the code was changed to use a named variable, instead of the default variable, so the matching was not actually being done, and the corresponding values were not being properly sanitized. http://github.com/scc/slash/commit/cf5866dca5f4670a947795926040551306790998 No known exploits -- either for the database, or cross-site scripting (XSS) -- exist for this issue, but though a code review was performed and a way was not found to abuse it, that doesn't mean it couldn't be abused. The second issue, found and fixed on May 23, is similar: the code to properly filter the "sid" of a story was not anchored properly, and additional data could be tacked onto the value and left unsanitized. Thanks to Scott R. White for alerting us to the problem. http://github.com/scc/slash/commit/fda1c295ac0f45938e48f57f40605cb2dc8033cc As with the above issue, no known database exploits exist for this issue, HOWEVER it is easily exploitable with standard XSS techniques, and all Slash sites MUST either UPDATE to the latest code, or use the patch at the URL above to manually fix their site. Both issues have existed for years. If you are on Slash 2.x, you are almost certainly affected. We will be making a more public announcement on the announce list and the web site next week, so this is your heads-up to get it fixed. Contact me directly, or reply here on the list, if you have any questions. As always (not that this happens often!), please contact us about security matters at sec...@sl..., and feel free to join the low-traffic slashcode-general mailing list to keep updated on security- related matters. https://lists.sourceforge.net/lists/listinfo/slashcode-general -- Chris Nandor pu...@sl... http://slashdot.org/ |