Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Slashdot.org

FortKnox's Journal: Slashcode Vulnerability Has Stayed Silent? 6

Journal by FortKnox
Looks like the slashcode vulnerability which I discussed in this journal entry, which points out jamie's response seems to not be important enough for the front page of slashdot, or any story on slashdot at all.

So MS exploits and other open source exploits can be pointed out (and mocked, for MS), but we'll keep our trap shut for our own bugs??

I'll be sure to point out this journal entry the next time Slashdot decides to bash MS, you can be sure of it.

Before you freak about the jamie link, slashdot seems to be swallowing the "&cid", here's the link printed out:
http://slashdot.org/comments.pl?sid=35258&cid=3807153
This discussion has been archived. No new comments can be posted.

Slashcode Vulnerability Has Stayed Silent?

Comments Filter:
  • Jamie made a post to bugtraq responding to the one made earlier yesterday. http://archives.neohapsis.com/archives/bugtraq/200 2-07/0013.html [neohapsis.com]

    It seems the bug was not in the current slash release, only the release under development. Which raises the question, why is slashdot running the most recent development release, not the current release? Are we users their testers? Do they depend on the large number of trolls here to exploit those holes so they can weed them out?

    Also, most slashdot editors know the deal with reporting holes. I dont think I've seen them criticize someone for quietly going to the vendor first (Microsoft or otherwise), but I have seen them criticize those who flat out go public right away. It's mostly the others (regular users & Michael) who make fun of MS every chance they get, no matter how much notice MS had or didnt have.

    Also - thinking about that html href trouble -- I wonder if by having the ampersand, the filter chokes. The fix they just made was for an exploit that depended on an ampersand within a html tag. hmmm......
  • Ran a story about it, perhaps slashdot's personal codebase was not vulnerable, and therefore did not warrant mention here. Taco has mentioned several times that /. is running a modifided slashcode that is tweaked and optimized for VA's tastes
    • Slashdot's personal codebase is the reason the bug was found. Trolls were exploiting it. Read my previous journal. Some comments explain what happened.
  • I have this problem with Netscape 6, but with none of the other browsers I've used. (Opera, IE5.5sp2, NS 4.7) I tried it like this: ...pl?sid=XXXXXX&cid=YYYYY and it worked fine. it translated the & to an & when I submitted.

"One day I woke up and discovered that I was in love with tripe." -- Tom Anderson

Working...