XSS in Slashcode

2002-07-02T00:00:00
ID SECURITYVULNS:DOC:3165
Type securityvulns
Reporter Securityvulns
Modified 2002-07-02T00:00:00

Description

There is a nasty Cross Site Scripting(XSS) vuln in Slashcode. This was used a day or so go on slashdot.org and resulted in most of the site being taken down for an hour or so. The maintainers of slashcode have patched the problem in CVS but have not even mentioned it anywhere that I can find. This leaves all sites using slash vulnerable to this exploit.

An example exploit (incomplete) is as follows:

<p &gt; onMouseOver..insert javascript here...>

I am dissapointed that the slachcode maintainers have silently fixed this on slashdot.org yet made no mention of the problem elsewhere so that other sites can patch themselves. No wonder there are so many "trolls" on slashdot.org...ah well.

If you run a site using slashcode, get the latest CVS.

That is all. Move along.


Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com