Slashcode: login vulnerability

12

Author: JT Smith

Slashcode.com: “Slash, the code that runs Slashdot and many other web sites, has a
vulnerability in recent versions that allows any logged-in user to
log in as any other user.This allows users to take nearly full control of a Slash system (post and delete stories, posting stories, edit users, post as other users, etc., and do anything that a Slash user can do) by logging in to an administrator’s Slash account.”


[SA-2002:00] Slashcode login vulunerability


RISK FACTOR: HIGH


SYNOPSIS

Slash, the code that runs Slashdot and many other web sites, has a
vulnerability in recent versions that allows any logged-in user to
log in as any other user.

This allows users to take nearly full control of a Slash system (post
and delete stories, posting stories, edit users, post as other users,
etc., and do anything that a Slash user can do) by logging in to
an adminstrator's Slash account.


VULNERABLE SYSTEMS

Any system running Slash 2.1.x (development versions for 2.2), 2.2.0,
2.2.1, or 2.2.2, and sites using the development code from CVS.  Slash
2.0.x and previous are unaffected.


RESOLUTION

Slash 2.2.3 should be installed for all Slash 2.1 and 2.2 sites.
Users of the development code from CVS should run cvs update and install
the most recent code.

In the meantime, if upgrading is not possible or will not happen
immediately, site administrators should either shut down the web site
or disable admin.pl and users.pl by moving them elsewhere or disabling
the execution bits (Apache may need to be restarted following this).

Further, site administrators should change their passwords, and check
the "seclev" field in the users table to make sure no one has a seclev
greater to or equal than "100" who should not have administrator
privileges:

  mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100;

That should list only users with some administrator privileges.

Site administrators should subscribe to the slashcode-general or
slashcode-announce mailing lists, to keep up to date on the latest
releases and security notices.  Subscription information is on the
Slashcode site at  http://slashcode.com/.


CREDITS

Daniel Bowers daniel@satus.com> found and exploited the bug, and
notified the Slash team.  The Slash team immediately patched the code
and released Slash 2.2.3 three hours after notification.


CONTACT INFORMATION

Chris Nandor, pudge@osdn.comhttp://slashcode.com/

Category:

  • Linux