Slashcode Log In
But if you are running Slashcode from CVS and you updated your site between June 17 and July 1, you will need to update to the latest version in CVS now. Please do so now.
An example exploit of this vulnerability has been posted to bugtraq (and Slashdot!) so you should assume that malicious users are already actively trying to attack sites. The example exploit did not include specific instructions on how to steal passwords, but this is trivial for anyone who understands XSS.
The impact of this vulnerability is that malicious readers can, at worst, steal your users' passwords, including those of your admins. Even if they do not steal passwords, they can cause other kinds of havoc by inserting unwelcome HTML, including scripting attacks, into comments and such.
After upgrading to the latest CVS, you should check the text fields of recent comments, journal entries, and submissions to make sure there are no scripting attacks. (Look for text like "<p " which indicates a tag that has attributes where none should be allowed. Other tags may be exploited.)
If you cannot rule out the possibility of such attacks having been posted to your site, you will want to change your admins' passwords and otherwise take steps to ensure that their accounts are not compromised.
Sorry about all this, but these things can happen when you're working with pre-development-release CVS. Life in the fast lane. We'll try to make sure they don't happen again.
Several of the Slash coders hang out in the #slash IRC channels on openprojects.net and if you need help updating a CVS site to the latest version, we can help.
If you cannot upgrade to the latest version of CVS at this time, the simpler fix is to apply the "else" clause from this one patch here