Friday, June 27, 2008

Full Disclosure of SlashCode Vulnerabilites

On 05-23-08, slashdot posted an article "Help Slashdot Test Our New Data Center" which prompted my interest...



From the article: "Please go there, post comments, submit stories, and do whatever you do normally. Or maybe abnormally — run crawlers, write poll spamming robots or something."

What particularly sparked my interested was the "Or maybe abnormally" section... So I decided that after years of reading the site daily, the very least I could do was give back to the community. My heavy interest in web applications, both pen testing and writing them professionally for over 3 years, naturally led me to open Firefox and start digging into the plethora of add-ons I use on a daily basis. If my security and web app expertise helped them close up one hole, my time would have been very well spent.

I didn't figure I'd find much since the site is frequented so heavily by technology related individuals, and most likely a higher target than other sites for various reasons. However, to my surprise, I began to uncover various issues which I regularly ding my clients on. These were of varying severity, ranging from cross-site scripting, an integer overflow, to default files being present, and the HTTP TRACE method being enabled.

All of the aforementioned issues were reported to slashdot/slashcode maintainers immediately, and mad props go out to pudge and whoever else over there who had fixed the issues within 2 hours of being notified!!! That is very impressive that my email sent at 12:24am on 05-24-08 was responded to at 2:31am the same night and the severe issues were fixed! After working with corporate America and its extremely slow response to other security issues I've found, many which have been severe 0-days, I've never had such a response. I've had other companies with commercial products hang up on me and ignore emails when I'm the one trying to help them secure their own product!

The issues that I discovered were in slashcode, or the code that slashdot.org runs on. The code is open to anyone, and used by other sites. Fixes have been implemented, and for those of you that are not on the slashcode mailing list, the slashcode website has details.

Cross-Site Scripting
====================
http://beta.slashdot.org/comments.pl?sid=559811*/--><script>alert('XSS'!)</script> http://beta.slashdot.org/article.pl?sid=559811*/--><script>alert('XSS'!)</script>

HTTP 500 Error
==============
http://beta.slashdot.org/index.pl?issue=99999999
(index out of bounds?)

The announcement can be found at slashcode with details of the fixes here.

Again, thanks to pudge and the folks over at slashdot for a great site. Keep up the good work!

No comments: