[27000] in bugtraq
Re: slashdot / slashcode disclosing passwords
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Sep 11 19:58:59 2002
Date: Wed, 11 Sep 2002 17:37:02 -0400 (EDT)
From: Michal Zalewski <lcamtuf@dione.ids.pl>
To: Craig Dickson <crdic@pacbell.net>
In-Reply-To: <20020911203952.GA8994@linux700.localnet>
Message-ID: <Pine.LNX.4.42.0209111734330.848-100000@nimue.bos.bindview.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 11 Sep 2002, Craig Dickson wrote:
> Slashcode allows you to connect with
> "http://site/?unickname=my+nick&upasswd=passwd" as a "quick login". It
> has been like this for years, and has always been documented as being
> "totally insecure, but very convenient". (Cite: log in to slashdot.org,
> then go to "/users.pl?op=edituser")
From my conversation with Slashdot folks, it seems that it shouldn't be
this way. The more reasonable way to implement it is to immediately
refresh an URL to some "safe" location (and give user a cookie or put some
extra information in returned POST forms). Putting a solution that is so
grossly insecure is insane a bit ;-)
--
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
http://lcamtuf.coredump.cx/photo/
