[26998] in bugtraq
slashdot / slashcode disclosing passwords
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Sep 11 16:22:08 2002
Date: Wed, 11 Sep 2002 13:25:45 -0400 (EDT)
From: Michal Zalewski <lcamtuf@dione.ids.pl>
To: bugtraq@securityfocus.com, <vulnwatch@vulnwatch.org>
Message-ID: <Pine.LNX.4.42.0209111228050.848-100000@nimue.bos.bindview.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hey,
I noticed that Slashdot has a nasty bug, which, I imagine is a fault of
Slashcode. On certain occassions, you can find a very interesting Referer
string for some visitiors of pages mentioned on this site. One of such
entries:
63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1"
200 33541 "http://slashdot.org/?unickname=dXXg&passwd=rXXXX3"
"Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826"
[lcamtuf.coredump.cx]
Go figure. This does not seem to be a consistent pattern, of thousands
hits from Slashdot only about 15-20 were like that today, so it seems like
a specific condition have to be met, yet it's not that uncommon - I'd
guess it happens right after you login and click on the link. I did not
investigate it too much, but it seems to me that Slashcode is fairly
popular and used in quite a few places - and that's a nice example of why
GET shouldn't be used for forms. This is based exclusively on the real
world observation of this pattern.
I gave Slashdot a short notice because it does not really matter how fast
you patch it - once public, people can grep their webserver logs for past
entries anyway.
--
Michal Zalewski
