Slashcode Log In
Two Slash Data Sanitization Security Issues
Two longstanding security issues were found and fixed in Slash, the code that powers Slashdot, in May 2008. The second of the two -- found and reported to us by Scott R. White, of securestate.com -- is easily exploitable and must be fixed immediately on all Slash 2.x sites.
The first, found and fixed on May 1, was a problem with filtering certain types of form data: form inputs where the form name is matched against a regex. At some point years ago, during refactoring, the code was changed to use a named variable, instead of the default variable, so the matching was not actually being done, and the corresponding values were not being properly sanitized.
No known exploits -- either for the database, or cross-site scripting (XSS) -- exist for this issue, but though a code review was performed and a way was not found to abuse it, that doesn't mean it couldn't be abused.
The second issue, found and fixed on May 23, is similar: the code to properly filter the "sid" of a story was not anchored properly, and additional data could be tacked onto the value and left unsanitized. We thank Scott R. White for alerting us to the problem in a responsible manner.
As with the above issue, no known database exploits exist for this issue, however it is easily exploitable with standard XSS techniques, and all Slash sites must either update to the latest code, or use the patch at the link above to manually fix their site.
Both issues have existed for years. If you are on Slash 2.x, you are almost certainly affected.
As always (not that this happens often!), please contact us about security matters at firstname.lastname@example.org, and join the low-traffic slashcode-general mailing list to keep updated on security-related matters. This security warning has been posted to that list.