Insecure handling of notes in Slashcode

From: jesus lovejones (brain_eater@zombieworld.com)
Date: 09/08/01


Date: Sat,  8 Sep 2001 01:06:32 -0400
Message-Id: <200109080106.AA249561568@zombieworld.com>
From: "jesus  lovejones" <brain_eater@zombieworld.com>
To: <bugtraq@securityfocus.com>
Subject: Insecure handling of notes in Slashcode

Security Advisory - September 9, 2001
plastic.com's Slashcode

Overview:
The implementation of private notes on plastic.com's Slashcode-driven site is insecure. Any logged in user can view any message in the system.

Description:
After logging into the site as a user, http://www.plastic.com/message.pl?op=read&m_id=9999 (where m_id= a given message's ID) will display the message, even if you weren't the user that the message was sent to.
http://www.automatic-media.com/privacypolicy.html says "Automatic Media takes the matter of our users' privacy very seriously." Some of the user data exposed through this bug would argue otherwise.

Versions Affected:
Beats me. I searched Slashcode's bug tracker and didn't find any related entries; I don't know what version of Slashcode plastic.com's running and I don't know if notes is a feature of Slashcode or something they rolled in after the fact, so I can't say how endemic this bug is.

Resolution:
I e-mailed support@plastic.com and editors@plastic.com last Friday evening with this information, recommending that they purge the notes database and add a disclaimer on the messaging pages, and still haven't heard back from them.

_________________________________________________________
Get your own FREE zombieworld.com Email account at...
http://www.evilemail.com

zombieworld.com - The dead come back to life, just for you.
_________________________________________________________



Relevant Pages

  • [UNIX] Insecure Handling of Notes in Plastic.coms Slashcode
    ... Insecure Handling of Notes in Plastic.com's Slashcode ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: Insecure handling of notes in Slashcode
    ... Insecure handling of notes in Slashcode ... there's only a small chance we can fix ... > data exposed through this bug would argue otherwise. ...
    (Bugtraq)