Main Stories
Slash Boxes

Slash Open Source Project

Slashcode Log In

Log In

[ Create a new account ]

CVS Vulnerability

posted by Krow on 11:04 AM July 2nd, 2002   Printer-friendly   Email story
Slash in CVS had a cross-site scripting (XSS or CSS) vulnerability from June 17 to July 1 (yesterday). If you are running Slashcode from one of the tarball releases -- hopefully you are on 2.2.5 -- you are unaffected, don't worry about it.

But if you are running Slashcode from CVS and you updated your site between June 17 and July 1, you will need to update to the latest version in CVS now. Please do so now.

An example exploit of this vulnerability has been posted to bugtraq (and Slashdot!) so you should assume that malicious users are already actively trying to attack sites. The example exploit did not include specific instructions on how to steal passwords, but this is trivial for anyone who understands XSS.

The impact of this vulnerability is that malicious readers can, at worst, steal your users' passwords, including those of your admins. Even if they do not steal passwords, they can cause other kinds of havoc by inserting unwelcome HTML, including scripting attacks, into comments and such.

After upgrading to the latest CVS, you should check the text fields of recent comments, journal entries, and submissions to make sure there are no scripting attacks. (Look for text like "<p " which indicates a tag that has attributes where none should be allowed. Other tags may be exploited.)

If you cannot rule out the possibility of such attacks having been posted to your site, you will want to change your admins' passwords and otherwise take steps to ensure that their accounts are not compromised.

Sorry about all this, but these things can happen when you're working with pre-development-release CVS. Life in the fast lane. We'll try to make sure they don't happen again.

Several of the Slash coders hang out in the #slash IRC channels on openprojects.net and if you need help updating a CVS site to the latest version, we can help.

If you cannot upgrade to the latest version of CVS at this time, the simpler fix is to apply the "else" clause from this one patch here

This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.