[22571] in bugtraq
Insecure handling of notes in Slashcode
daemon@ATHENA.MIT.EDU (jesus lovejones)
Sat Sep 8 03:56:18 2001
Date: Sat, 8 Sep 2001 01:06:32 -0400
Message-Id: <200109080106.AA249561568@zombieworld.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From: "jesus lovejones" <brain_eater@zombieworld.com>
Reply-To: <brain_eater@zombieworld.com>
To: <bugtraq@securityfocus.com>
Security Advisory - September 9, 2001
plastic.com's Slashcode
Overview:
The implementation of private notes on plastic.com's Slashcode-driven site is insecure. Any logged in user can view any message in the system.
Description:
After logging into the site as a user, http://www.plastic.com/message.pl?op=read&m_id=9999 (where m_id= a given message's ID) will display the message, even if you weren't the user that the message was sent to.
http://www.automatic-media.com/privacypolicy.html says "Automatic Media takes the matter of our users' privacy very seriously." Some of the user data exposed through this bug would argue otherwise.
Versions Affected:
Beats me. I searched Slashcode's bug tracker and didn't find any related entries; I don't know what version of Slashcode plastic.com's running and I don't know if notes is a feature of Slashcode or something they rolled in after the fact, so I can't say how endemic this bug is.
Resolution:
I e-mailed support@plastic.com and editors@plastic.com last Friday evening with this information, recommending that they purge the notes database and add a disclaimer on the messaging pages, and still haven't heard back from them.
_________________________________________________________
Get your own FREE zombieworld.com Email account at...
http://www.evilemail.com
zombieworld.com - The dead come back to life, just for you.
_________________________________________________________
