Re: XSS in Slashcode

[Jamie McCarthy <jamie () mccarthy vg>]

gcsbnz () yahoo com (gcsb) writes:

> There is a nasty Cross Site Scripting(XSS) vuln in Slashcode.
> This was used a day or so go on slashdot.org and resulted in most
> of the site being taken down for an hour or so. The maintainers
> of slashcode have patched the problem in CVS but have not even
> mentioned it anywhere that I can find.

The above is more or less true.  The bug was introduced in CVS on
June 17 and was fixed on July 1.

> This leaves all sites using slash vulnerable to this exploit.

That is totally untrue.  Very few sites are running Slash from CVS,
as the CVS tree is a pre-alpha version.  We have not yet even
stamped it with a development release number (which will be 2.3.0
as soon as we feel it is stable enough for bleeding-edge users).

If gcsb had contacted the Slash coding team before posting to
bugtraq, we would have been happy to clarify this.  As listed on our
SF.net bug page, our security address is security () slashcode com.

> If you run a site using slashcode, get the latest CVS.

Sites using the latest slashcode release (which is essentially all
of them) are unaffected.  The latest release is 2.2.5, and its
release date is February 7.  Such sites should not feel obligated
to migrate to the CVS version.

Sites running CVS should stay as current as possible at all times,
of course.  The courageous admins of those sites should probably
hang out on the IRC channel given on the slashcode.com homepage
(#slash on irc.openprojects.net).

And admins of all Slash sites should subscribe to the Announcement
and probably General mailing lists, to stay current on these issues
(signup information is also on the slashcode.com homepage).  We
will be making an announcement on those lists momentarily.

--
 Jamie McCarthy
 jamie () slashdot org