[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: slashdot / slashcode disclosing passwords
From: Michal Zalewski <lcamtuf () dione ! ids ! pl>
Date: 2002-09-11 17:25:45
[Download RAW message or body]
Hey,
I noticed that Slashdot has a nasty bug, which, I imagine is a fault of
Slashcode. On certain occassions, you can find a very interesting Referer
string for some visitiors of pages mentioned on this site. One of such
entries:
63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1"
200 33541 "http://slashdot.org/?unickname=dXXg&passwd=rXXXX3"
"Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826"
[lcamtuf.coredump.cx]
Go figure. This does not seem to be a consistent pattern, of thousands
hits from Slashdot only about 15-20 were like that today, so it seems like
a specific condition have to be met, yet it's not that uncommon - I'd
guess it happens right after you login and click on the link. I did not
investigate it too much, but it seems to me that Slashcode is fairly
popular and used in quite a few places - and that's a nice example of why
GET shouldn't be used for forms. This is based exclusively on the real
world observation of this pattern.
I gave Slashdot a short notice because it does not really matter how fast
you patch it - once public, people can grep their webserver logs for past
entries anyway.
--
Michal Zalewski
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic