Vulnerability

    Slashcode

Affected

    All slashcode prior to  2.0-Alpha (bender)

Description

    Brian Aker found  following (Nohican and  {} for exploiting).   In
    prior versions of slash there are several issues that one must  be
    aware of that  are covered in  the INSTALL.   One must change  the
    default admin user/passwd from God/Pete to something else.  Proper
    setup of Slashcode depends on people reading the INSTALL.

    Because of the  slash install and  code not having  something that
    forces  the   admin  user   to  change   the  password,   one  may
    inadvertently  be  leaving  themselves  open  to  access  from the
    outside by unauthorized users.

    Because there are issues in  the design of slash prior  to rewrite
    for 2.0, someone who has access to an admin account with a  seclev
    of 10,000, can find ways of executing arbitrary code by  inserting
    a block  as the  user running  the webserver  and thereby possibly
    gaining unauthorized shell access or access to the database.

    As the INSTALL  notes, "If you  do not change  all your passwords,
    you almost certainly will get haX0rD."

Solution

    Check to see if you have accounts named God, author or author1 and
    that they are not using default  passwords.  You may also want  to
    evaluate  which  accounts  have  seclev  privileges to alter block
    data.

    A  new  version  of  the  current  main branch will no longer have
    default admin  password and  will require  you to  manually add an
    admin user.  This issue has been fixed in the development  relaese
    of slashcode (AKA Bender).