Main Stories
Slash Boxes

Slash Open Source Project

Slashcode Log In

Log In

[ Create a new account ]

Slash 2.2.x vulnerabilities

posted by pudge on 01:03 PM January 10th, 2002   Printer-friendly   Email story
As mentioned in the release of Slash 2.2.3, you need to upgrade to 2.2.3 if you are running any previous version of Slash 2.2.x. The basic problem is that any logged-in user can become any other user. Yeah.

Also, in regard to the problem mentioned in Slash 2.2.2, that one allows anyone to delete anyone else's journals. Not as bad, but still, please upgrade immediately.

The full notice is below, including how to resolve the issue, and what versions are affected. The notice has been sent to slashcode-general and slashcode-announce in addition to bugtraq.

[SA-2002:00] Slash login vulunerability


RISK FACTOR: HIGH


SYNOPSIS

Slash, the code that runs Slashdot and many other web sites, has a
vulnerability in recent versions that allows any logged-in user to
log in as any other user.

This allows users to take nearly full control of a Slash system (post
and delete stories, posting stories, edit users, post as other users,
etc., and do anything that a Slash user can do) by logging in to
an adminstrator's Slash account.


VULNERABLE SYSTEMS

Any system running Slash 2.1.x (development versions for 2.2), 2.2.0,
2.2.1, or 2.2.2, and sites using the development code from CVS.  Slash
2.0.x and previous are unaffected.


RESOLUTION

Slash 2.2.3 should be installed for all Slash 2.1 and 2.2 sites.
Users of the development code from CVS should run cvs update and install
the most recent code.

In the meantime, if upgrading is not possible or will not happen
immediately, site administrators should either shut down the web site
or disable admin.pl and users.pl by moving them elsewhere or disabling
the execution bits (Apache may need to be restarted following this).

Further, site administrators should change their passwords, and check
the "seclev" field in the users table to make sure no one has a seclev
greater to or equal than "100" who should not have administrator
privileges:

  mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100;

That should list only users with some administrator privileges.

Site administrators should subscribe to the slashcode-general or
slashcode-announce mailing lists, to keep up to date on the latest
releases and security notices.  Subscription information is on the
Slashcode site at http://slashcode.com/.


CREDITS

Daniel Bowers <daniel@satus.com> found and exploited the bug, and
notified the Slash team.  The Slash team immediately patched the code
and released Slash 2.2.3 three hours after notification.


CONTACT INFORMATION

Chris Nandor, pudge@osdn.com
http://slashcode.com/
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.
  • by Anonymous Coward
    How easy is it to upgrade from 2.0 to the 2.2.3? I've customized the templates an awful lot and don't really want to have to do it all over again. Does anyone have any tips?
    • Note, again, you do NOT have to upgrade from 2.0 to 2.2.3. This vulnerability is only in 2.1 and up.
      • by Anonymous Coward
        yes I realize that but I'm sure there are probably some things broke in 2.0 that are fixed in 2.2.3.
        • I didn't find it to hard. I think the most annoying change required me to update my dispStory template since there was a change in how topics were passed.
          --

          --
          You can't grep a dead tree.
      • by Anonymous Coward
        2.0 does have security holes that are fixed by the `formkey' field in forms (assuming that it is used correctly). If you are logged in to a Slash 2.0 site you should not visit untrusted web sites (especially if logged in to an admin account) as the web page can cause your web browser to use your Slash account in malicious ways. This does not require JavaScript or any advanced functionality.

        Capt. Tofu was informed about this bug but I know of no effort made to inform the Slash-using population.

    • I found this GUI tool pretty damn cool.

      Beyond Compare - http://scootersoftware.com [scootersoftware.com]

      Dump your altered templates out to a directory, then you can use this graphical tool to compare them to the originals.. see differences in a flash.
  • by Anonymous Coward
    Okay, so I've upgraded slash. At least, I followed the instructions to the letter to upgrade slash. How, exactly, do I know if the upgrade was a success? (I mean, my site is running -- but can I no longer worry about it getting jacked?) Ordinarily I wouldn't post anonymously but in case I goofed up I don't want people breaking down my door ;-)