Re: Insecure handling of notes in Slashcode

["Anuff Joey" <joey () automatic-media com>]

This is a problem, indeed. Worse yet, there's only a small chance we can fix
it anytime soon, seeing as Plastic is currently without either an engineer
to make a fix or even access to our servers. This inaccessibility, which is
a long and unsurprisingly stupid story (involving unpaid bills, natch), will
with any luck improve in the next week, but until then, our choices are bad
and worse. Bad, in that we have a severe security flaw that can't be fixed
at the moment. Or worse, that we may have a severe security flaw that
someone could easily publicize (perhaps this has already happened?), giving
all idle hands ample time to casually root around through peoples' mail.

I've cc:'d Plastic's ex-engineer, Jon Phelps, in the hopes that he might be
able to prevail on our long-unpaid (but still hosting!) ISP to give him
access and patch this up (assuming that he's willing and able.) My fingers
are tightly crossed.

Any advice on handling this would be welcome in the interim. I'm tempted to
post it as a story, urging people to delete any sensitive correspondence,
but again, my fear is that publicizing it without being able to fix it will
just heighten abuse. And since only a fraction of the people effected would
likely see the post, there'd be ample time for people to engage in mischief,
should they be so inclined. Hell, I don't even know whether "deleting"
messages would actually make them inaccessible. Uggh, I feel ill.

-joey anuff
volunteer editor, Plastic

----- Original Message -----
From: "Kath" <kath () kathweb net>
To: <brain_eater () zombieworld com>; <bugtraq () securityfocus com>
Cc: <support () plastic com>; <editors () plastic com>
Sent: Saturday, September 08, 2001 3:24 PM
Subject: Re: Insecure handling of notes in Slashcode


> They should just do a random 10-16 char string and then md5 that to do an
> id... simple fix.
>
> - k
>
>
>
> ----- Original Message -----
> From: "jesus lovejones" <brain_eater () zombieworld com>
> To: <bugtraq () securityfocus com>
> Sent: Saturday, September 08, 2001 1:06 AM
> Subject: Insecure handling of notes in Slashcode
>
>
> > Security Advisory - September 9, 2001
> > plastic.com's Slashcode
> >
> > Overview:
> > The implementation of private notes on plastic.com's Slashcode-driven
site
> is insecure.  Any logged in user can view any message in the system.
> > Description:
> > After logging into the site as a user,
> http://www.plastic.com/message.pl?op=read&m_id=9999 (where m_id= a given
> message's ID) will display the message, even if you weren't the user that
> the message was sent to.
> > http://www.automatic-media.com/privacypolicy.html says "Automatic Media
> takes the matter of our users' privacy very seriously."  Some of the user
> data exposed through this bug would argue otherwise.
> > Versions Affected:
> > Beats me.  I searched Slashcode's bug tracker and didn't find any
related
> entries; I don't know what version of Slashcode plastic.com's running and
I
> don't know if notes is a feature of Slashcode or something they rolled in
> after the fact, so I can't say how endemic this bug is.
> > Resolution:
> > I e-mailed support () plastic com and editors () plastic com last Friday
evening
> with this information, recommending that they purge the notes database and
> add a disclaimer on the messaging pages, and still haven't heard back from
> them.
> > _________________________________________________________
> > Get your own FREE zombieworld.com Email account at...
> > http://www.evilemail.com
> >
> > zombieworld.com - The dead come back to life, just for you.
> > _________________________________________________________