Insecure handling of notes in Slashcode

From: jesus lovejones (brain_eater@zombieworld.com)
Date: 09/08/01


Date: Sat,  8 Sep 2001 01:06:32 -0400
Message-Id: <200109080106.AA249561568@zombieworld.com>
From: "jesus  lovejones" <brain_eater@zombieworld.com>
To: <bugtraq@securityfocus.com>
Subject: Insecure handling of notes in Slashcode

Security Advisory - September 9, 2001
plastic.com's Slashcode

Overview:
The implementation of private notes on plastic.com's Slashcode-driven site is insecure. Any logged in user can view any message in the system.

Description:
After logging into the site as a user, http://www.plastic.com/message.pl?op=read&m_id=9999 (where m_id= a given message's ID) will display the message, even if you weren't the user that the message was sent to.
http://www.automatic-media.com/privacypolicy.html says "Automatic Media takes the matter of our users' privacy very seriously." Some of the user data exposed through this bug would argue otherwise.

Versions Affected:
Beats me. I searched Slashcode's bug tracker and didn't find any related entries; I don't know what version of Slashcode plastic.com's running and I don't know if notes is a feature of Slashcode or something they rolled in after the fact, so I can't say how endemic this bug is.

Resolution:
I e-mailed support@plastic.com and editors@plastic.com last Friday evening with this information, recommending that they purge the notes database and add a disclaimer on the messaging pages, and still haven't heard back from them.

_________________________________________________________
Get your own FREE zombieworld.com Email account at...
http://www.evilemail.com

zombieworld.com - The dead come back to life, just for you.
_________________________________________________________