slashdot / slashcode disclosing passwords

[Michal Zalewski <lcamtuf () dione ids pl>]

Hey,

I noticed that Slashdot has a nasty bug, which, I imagine is a fault of
Slashcode. On certain occassions, you can find a very interesting Referer
string for some visitiors of pages mentioned on this site. One of such
entries:

63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1"
200 33541 "http://slashdot.org/?unickname=dXXg&passwd=rXXXX3";
"Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826"
[lcamtuf.coredump.cx]

Go figure. This does not seem to be a consistent pattern, of thousands
hits from Slashdot only about 15-20 were like that today, so it seems like
a specific condition have to be met, yet it's not that uncommon - I'd
guess it happens right after you login and click on the link. I did not
investigate it too much, but it seems to me that Slashcode is fairly
popular and used in quite a few places - and that's a nice example of why
GET shouldn't be used for forms. This is based exclusively on the real
world observation of this pattern.

I gave Slashdot a short notice because it does not really matter how fast
you patch it - once public, people can grep their webserver logs for past
entries anyway.

-- 
Michal Zalewski