[27003] in bugtraq
Re: slashdot / slashcode disclosing passwords
daemon@ATHENA.MIT.EDU (Jamie McCarthy)
Wed Sep 11 21:02:49 2002
Date: Wed, 11 Sep 2002 18:54:47 -0400
From: Jamie McCarthy <jamie@mccarthy.vg>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
In-Reply-To: <Pine.LNX.4.42.0209111228050.848-100000@nimue.bos.bindview.com>
Message-ID: <r01050300-1015-78997232C5D911D6BE280030655680F4@[192.168.0.159]>
MIME-Version: 1.0
Content-Type: text/plain; Charset=US-ASCII
Content-Transfer-Encoding: 7bit
lcamtuf@dione.ids.pl (Michal Zalewski) writes:
> I gave Slashdot a short notice because
...you were impatient, I guess. But the explanation is simple.
Our users access that link from these pages:
http://slashdot.org/users.pl?op=changepasswd
http://slashdot.org/users.pl?op=edituser
which inform him or her:
You can automatically log in by clicking _This Link_ and
Bookmarking the resulting page. This is totally insecure,
but very convenient.
Anyone whose password shows up in your referrer logs has been
duly warned.
Any security concerns with Slashcode or Slashdot should be sent to
security@slashcode.com. (This address can be found by clicking
"bugs" on the Slashdot homepage. As stated there, we adhere to
the RFP, and ask you to as well.)
--
Jamie McCarthy
jamie@slashdot.org
