Bugtraq mailing list archives
Re: Insecure handling of notes in Slashcode
From: "Anuff Joey" <joey () automatic-media com>
Date: Sat, 8 Sep 2001 16:50:58 -0400
This is a problem, indeed. Worse yet, there's only a small chance we can fix it anytime soon, seeing as Plastic is currently without either an engineer to make a fix or even access to our servers. This inaccessibility, which is a long and unsurprisingly stupid story (involving unpaid bills, natch), will with any luck improve in the next week, but until then, our choices are bad and worse. Bad, in that we have a severe security flaw that can't be fixed at the moment. Or worse, that we may have a severe security flaw that someone could easily publicize (perhaps this has already happened?), giving all idle hands ample time to casually root around through peoples' mail. I've cc:'d Plastic's ex-engineer, Jon Phelps, in the hopes that he might be able to prevail on our long-unpaid (but still hosting!) ISP to give him access and patch this up (assuming that he's willing and able.) My fingers are tightly crossed. Any advice on handling this would be welcome in the interim. I'm tempted to post it as a story, urging people to delete any sensitive correspondence, but again, my fear is that publicizing it without being able to fix it will just heighten abuse. And since only a fraction of the people effected would likely see the post, there'd be ample time for people to engage in mischief, should they be so inclined. Hell, I don't even know whether "deleting" messages would actually make them inaccessible. Uggh, I feel ill. -joey anuff volunteer editor, Plastic ----- Original Message ----- From: "Kath" <kath () kathweb net> To: <brain_eater () zombieworld com>; <bugtraq () securityfocus com> Cc: <support () plastic com>; <editors () plastic com> Sent: Saturday, September 08, 2001 3:24 PM Subject: Re: Insecure handling of notes in Slashcode
They should just do a random 10-16 char string and then md5 that to do an id... simple fix. - k ----- Original Message ----- From: "jesus lovejones" <brain_eater () zombieworld com> To: <bugtraq () securityfocus com> Sent: Saturday, September 08, 2001 1:06 AM Subject: Insecure handling of notes in SlashcodeSecurity Advisory - September 9, 2001 plastic.com's Slashcode Overview: The implementation of private notes on plastic.com's Slashcode-driven
site
is insecure. Any logged in user can view any message in the system.Description: After logging into the site as a user,http://www.plastic.com/message.pl?op=read&m_id=9999 (where m_id= a given message's ID) will display the message, even if you weren't the user that the message was sent to.http://www.automatic-media.com/privacypolicy.html says "Automatic Mediatakes the matter of our users' privacy very seriously." Some of the user data exposed through this bug would argue otherwise.Versions Affected: Beats me. I searched Slashcode's bug tracker and didn't find any
related
entries; I don't know what version of Slashcode plastic.com's running and
I
don't know if notes is a feature of Slashcode or something they rolled in after the fact, so I can't say how endemic this bug is.Resolution: I e-mailed support () plastic com and editors () plastic com last Friday
evening
with this information, recommending that they purge the notes database and add a disclaimer on the messaging pages, and still haven't heard back from them._________________________________________________________ Get your own FREE zombieworld.com Email account at... http://www.evilemail.com zombieworld.com - The dead come back to life, just for you. _________________________________________________________
Current thread:
- Insecure handling of notes in Slashcode jesus lovejones (Sep 08)
- Message not available
- Re: Insecure handling of notes in Slashcode Anuff Joey (Sep 08)
- Message not available
- <Possible follow-ups>
- Re: Insecure handling of notes in Slashcode Chris Nandor (Sep 09)