[26999] in bugtraq
Re: slashdot / slashcode disclosing passwords
daemon@ATHENA.MIT.EDU (Craig Dickson)
Wed Sep 11 17:24:07 2002
Date: Wed, 11 Sep 2002 13:39:52 -0700
From: Craig Dickson <crdic@pacbell.net>
To: bugtraq@securityfocus.com
Message-ID: <20020911203952.GA8994@linux700.localnet>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.42.0209111228050.848-100000@nimue.bos.bindview.com>
--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Michal Zalewski wrote:
> I noticed that Slashdot has a nasty bug, which, I imagine is a fault of
> Slashcode. On certain occassions, you can find a very interesting Referer
> string for some visitiors of pages mentioned on this site. One of such
> entries:
>=20
> 63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1"
> 200 33541 "http://slashdot.org/?unickname=3DdXXg&passwd=3DrXXXX3"
> "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826"
> [lcamtuf.coredump.cx]
>=20
> Go figure. This does not seem to be a consistent pattern, of thousands
> hits from Slashdot only about 15-20 were like that today, so it seems like
> a specific condition have to be met,...
"That's not a bug, that's a feature!" Or at least a side effect,
possibly unforseen, of an intentional feature. (Disclaimer: I am not a
Slashcode developer, and have never looked at the Slashcode. However, I
have had an account at Slashdot for about three years now.)
Slashcode allows you to connect with
"http://site/?unickname=3Dmy+nick&upasswd=3Dpasswd" as a "quick login". It
has been like this for years, and has always been documented as being
"totally insecure, but very convenient". (Cite: log in to slashdot.org,
then go to "/users.pl?op=3Dedituser")
I would guess there are two factors that account for your seeing this
quite infrequently:
(1) Many people don't use this "quick login" feature;
(2) They have to click through to your site from the page they gave the
"quick login" to (which is probably Slashdot's front page). These
parameters won't be in the referer URL otherwise.
So the scenario for duplicating this would be:
(1) Connect to Slashdot using the "quick login";
(2) Click on an external link immediately, without any prior navigation
within Slashdot itself. (Or navigate within Slashdot, then use the
browser's "Back" button to go back to the initial page, then click
on the external link.)
(3) The external link gets your Slashdot username/password in the
referer field.
Craig
--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9f6oYTv3a2fa7g4sRAoEKAJ49kAfeS1fCKuDURfg0mfLgFUmvbQCgjpHX
xec8K2PUM7z5vqs8eS4ohCE=
=j8fI
-----END PGP SIGNATURE-----
--wac7ysb48OaltWcw--
