Slashcode 'Slash' Forum Input Validation Bug Lets Remote Users Conduct Cross-Site Scripting Attacks Against Slash Users
|
|
SecurityTracker Alert ID: 1004678 |
|
SecurityTracker URL: http://securitytracker.com/id/1004678
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 2 2002
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): CVS version between June 17 and July 1, 2002
|
Description:
An input validation vulnerability hole was reported in Slash, affecting the version available in CVS from June 17 to July 1 2002. A remote user can insert arbitrary script code into messages to conduct cross-site scripting attacks.
It is reported that a remote user can insert arbitrary scripting code into messages posted to a site running the Slash code. A demonstration exploit (partial) is provided:
<p > onMouseOver..insert javascript here...>
When a target user views the Slash message (or Slash page), the arbitrary scripting code will run in the target user's browser. The code will originate from the site running Slash and will run in the security context of that site. As a result, the code may be able to access the target user's cookies associated with that site. This may enable the remote user to gain access to the target user's Slash account (including administrator accounts). Also, the code may be able to take actions on the web site acting as the user. This can be used, for example, to submit messages.
The vendor reports that if you are running Slashcode from one of the tarball releases (e.g., 2.2.5) you are not vulnerable.
|
Impact:
A remote user can steal the cookies of a target user visiting a site running Slash. A remote user may be able to cause the target user's browser to take actions on that site acting as the target user, including posting or deleting messages (if permitted for the target user).
|
Solution:
The vendor has reportedly correct the flaw. Current CVS versions are reportedly fixed.
A workaround is to apply the "else" clause from this one patch here:
http://cvs.slashcode.com/index.cgi/slash/Slash/Utility/Data/Data.pm.diff?r1=1.38&r2=1.39
|
Vendor URL: slashcode.com/article.pl?sid=02/07/02/167220&mode=thread&tid=4 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 2 Jul 2002 01:56:26 -0700 (PDT)
Subject: XSS in Slashcode
|
There is a nasty Cross Site Scripting(XSS) vuln in
Slashcode. This was used a day or so go on
slashdot.org and resulted in most of the site being
taken down for an hour or so. The maintainers of
slashcode have patched the problem in CVS but have not
even mentioned it anywhere that I can find. This
leaves all sites using slash vulnerable to this
exploit.
An example exploit (incomplete) is as follows:
<p > onMouseOver..insert javascript here...>
I am dissapointed that the slachcode maintainers have
silently fixed this on slashdot.org yet made no
mention of the problem elsewhere so that other sites
can patch themselves. No wonder there are so many
"trolls" on slashdot.org...ah well.
If you run a site using slashcode, get the latest CVS.
That is all. Move along.
__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
|
|
