Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Slashdot Deals: Prep for the CompTIA A+ certification exam. Save 95% on the CompTIA IT Certification Bundle ×
Slashdot.org

Journal FortKnox's Journal: Slashcode Vulnerability Has Stayed Silent? 6

Looks like the slashcode vulnerability which I discussed in this journal entry, which points out jamie's response seems to not be important enough for the front page of slashdot, or any story on slashdot at all.

So MS exploits and other open source exploits can be pointed out (and mocked, for MS), but we'll keep our trap shut for our own bugs??

I'll be sure to point out this journal entry the next time Slashdot decides to bash MS, you can be sure of it.

Before you freak about the jamie link, slashdot seems to be swallowing the "&cid", here's the link printed out:
http://slashdot.org/comments.pl?sid=35258&cid=3807153
This discussion has been archived. No new comments can be posted.

Slashcode Vulnerability Has Stayed Silent?

Comments Filter:
  • Jamie made a post to bugtraq responding to the one made earlier yesterday. http://archives.neohapsis.com/archives/bugtraq/200 2-07/0013.html [neohapsis.com]

    It seems the bug was not in the current slash release, only the release under development. Which raises the question, why is slashdot running the most recent development release, not the current release? Are we users their testers? Do they depend on the large number of trolls here to exploit those holes so they can weed them out?

    Also, most slashdot editors know the deal with reporting holes. I dont think I've seen them criticize someone for quietly going to the vendor first (Microsoft or otherwise), but I have seen them criticize those who flat out go public right away. It's mostly the others (regular users & Michael) who make fun of MS every chance they get, no matter how much notice MS had or didnt have.

    Also - thinking about that html href trouble -- I wonder if by having the ampersand, the filter chokes. The fix they just made was for an exploit that depended on an ampersand within a html tag. hmmm......
  • Ran a story about it, perhaps slashdot's personal codebase was not vulnerable, and therefore did not warrant mention here. Taco has mentioned several times that /. is running a modifided slashcode that is tweaked and optimized for VA's tastes
    • Slashdot's personal codebase is the reason the bug was found. Trolls were exploiting it. Read my previous journal. Some comments explain what happened.
  • I have this problem with Netscape 6, but with none of the other browsers I've used. (Opera, IE5.5sp2, NS 4.7) I tried it like this: ...pl?sid=XXXXXX&cid=YYYYY and it worked fine. it translated the & to an & when I submitted.

Software production is assumed to be a line function, but it is run like a staff function. -- Paul Licker

Working...