COMMAND

	SlashCode login vulnerability (through cross site scripting)

SYSTEMS AFFECTED

	all versions prior to 2.2.5

PROBLEM

	Hiromitsu Takagi found following, as reported by Jamie McCarthy :
	

	Users who have Javascript enabled, and who can be persuaded to click  on
	an attacker\'s URL on a victim Slash  website,  will  send  their  Slash
	cookie, with username and password, to the attacker\'s website.
	

	The attacker can then take over the user\'s account. If the user  is  an
	administrator of the victim Slash website, the attacker can take  nearly
	full control of that site (post and delete stories, edit users, post  as
	other users, etc.).

SOLUTION

	Slash 2.1 and 2.2 sites  should  upgrade  to  Slash  2.2.5  immediately.
	Systems running development code from CVS  should  run  cvs  update  and
	install the most recent code.
	

	Slash 1.0.x and 2.0.x are no longer supported  and  there  will  not  be
	further releases. Sites running these versions should apply the  patches
	at this URL:
	

	

	  http://slashcode.com/article.pl?sid=02/02/07/1624221

	

	

	Further, site administrators should change their  passwords,  and  check
	the \"seclev\" field in the users table  to  make  sure  no  one  has  a
	seclev  greater  to  or  equal  than  \"100\"  who   should   not   have
	administrator privileges:
	

	

	  mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100;

	

	

	That should list only users with some administrator privileges.
	

	As  always,  Slash  site  administrators   should   subscribe   to   the
	slashcode-general or slashcode-announce mailing lists,  to  keep  up  to
	date  on  the  latest  releases  and  security   notices.   Subscription
	information is on the Slashcode site at <http://slashcode.com/>.