Subscribe: SlashcodeSearch Slashcode
Added By: Feedage Forager Feedage Grade B rated
Language: English
code  cvs  environment  found  list  read story  read  security  site  slash site  slash  slashcode  story slashcode  story 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: SlashcodeSearch Slashcode

SlashcodeSearch Slashcode

Slash Open Source ProjectSearch Slashcode stories

Published: 2009-10-01T19:10:11+00:00


Updated Slash Repo on


The public Slash repo has not been updated in awhile. We've moved to git and long story short, it took us some time to make it available. We hope to update the public repo weekly. It is available on, and there's basic instructions available for getting started with the git repo. The old CVS repo will remain there, but for now, it is ... old. So don't use it unless you want to look at ancient history. There's no plans for any tarballs or official releases. If this is of value to you, I suggest you consider doing your own releases of it. Talk to me about it if you're interested in moving forward.

Read more of this story at Slashcode.

Two Slash Data Sanitization Security Issues


Two longstanding security issues were found and fixed in Slash, the code that powers Slashdot, in May 2008. The second of the two -- found and reported to us by Scott R. White, of -- is easily exploitable and must be fixed immediately on all Slash 2.x sites. The first, found and fixed on May 1, was a problem with filtering certain types of form data: form inputs where the form name is matched against a regex. At some point years ago, during refactoring, the code was changed to use a named variable, instead of the default variable, so the matching was not actually being done, and the corresponding values were not being properly sanitized. No known exploits -- either for the database, or cross-site scripting (XSS) -- exist for this issue, but though a code review was performed and a way was not found to abuse it, that doesn't mean it couldn't be abused. The second issue, found and fixed on May 23, is similar: the code to properly filter the "sid" of a story was not anchored properly, and additional data could be tacked onto the value and left unsanitized. We thank Scott R. White for alerting us to the problem in a responsible manner. As with the above issue, no known database exploits exist for this issue, however it is easily exploitable with standard XSS techniques, and all Slash sites must either update to the latest code, or use the patch at the link above to manually fix their site. Both issues have existed for years. If you are on Slash 2.x, you are almost certainly affected. As always (not that this happens often!), please contact us about security matters at, and join the low-traffic slashcode-general mailing list to keep updated on security-related matters. This security warning has been posted to that list.

Read more of this story at Slashcode.

Full disclosure on Friday's security issue, and new patch


On Friday, January 4, 2008, a serious security vulnerability was discovered, and an exploit demonstrated, in the then-current version of Slash. The vulnerability was an SQL injection. Its effect was to allow a user with no special authorization to read any information from any table the Slash site's mysql user was authorized to read (which may include other databases, including information_schema). This vulnerability has been present in Slash for years. We are not going to list which specific versions of Slash are vulnerable, because as far as we know, they all are. Fortunately for those of you who are not running near-current CVS, the patch is easy to apply to all versions of Slash. The Slash programming team would like to thank blackybr, of the Russian web-security portal site, for bringing this to our attention in a responsible manner. The ability of an attacker to read the users table is why we urged Slash sites on Friday to change their admins' passwords. Whether the threat rises to the level of requiring all your users to change their passwords, we leave up to site administrators. Mitigating factors include: We are not aware of this attack actually having been used. Of course, since we are providing full information today, every Slash site administrator should assume that attackers are now actively trying to penetrate your site using this information. Passwords are MD5'd in the users table, so an attacker does not learn them directly. (It is of course likely that one or more of your users has an MD5 that shows up in a dictionary hash table, and/or than an attacker can brute-force the hashes offline.) If your site is running MySQL 4.0 or earlier, we do not know of any way that significant data could be retrieved. SQL injections on MySQL do not allow for multiple queries in the default configuration, so the way to retrieve data is to inject an ANDed subquery into a WHERE clause known to be true and see whether the expected data is successfully returned. This tells the attacker one bit of information, for example, whether ASCII(SUBSTRING((SELECT x FROM y WHERE z), 1, 1)) > 90. Absent subqueries, which were added in MySQL 4.1, only data from the main query's table can be retrieved. In this case, the only known exploitable table is journals, from which not much interesting can be learned. As far as we know, numerous requests in this fashion are required to obtain each byte of data. On the order of 100 requests are needed to obtain a user password. You may be able to scan your site's web logs to see if you can locate multiple suspicious-looking requests, especially to The word "select" in a query string would be a giveaway. One of the first things that an attacker would likely do is to obtain an administrator's password. Since Slash keeps permanent records of all administrator accesses, you may wish to scan that log for unexpected and possibly unauthorized logins. For example: mysql> SELECT uid, host_addr, MIN(ts), MAX(ts), COUNT(*) FROM accesslog_admin WHERE ts >= '2007-12-01 00:00:00' GROUP BY uid, host_addr; Today, I have committed two more fields in the $form hashref to be run through filter_params. They are content_type, for which I could find no vulnerabilities, and userfield, for which a XSS vulnerability (less serious than blackybr's) was found. We therefore again urge Slash site administrators to either update to the latest version in CVS, or to manually add those two fields to the alphanumeric $form field filtering done in, as follows: diff -U3 -r1.224 -r1.225 --- Slash/Utility/Environment/ 4 Jan 2008 19:14:07 -0000 1.224 +++ Slash/Utility/Environment/ 7 Jan 2008 21:30:09 -0000 1.225 @@ -1856,8 +1856,8 @@ # fields that have ONLY a-zA-Z0-9_ my %alphas = map {($_ => 1)} qw( - fieldname formkey commentstatus filter - hcanswer mode op section thisname type reskey + content_type fieldname formkey commentstatus filter + hcanswer mode op section thisname type reskey userfield comm[...]

Security: add 'id' to filter_params


Whatever version of Slash you are running, please add 'id' to the list of numeric filtered parameters. This list can be found in the filter_params subroutine in If you are on near-current code, you can just update to current code, as the fix is in CVS. If not, here is the (extremely simple) diff: diff -U3 -r1.223 -r1.224 --- Slash/Utility/Environment/ 24 Oct 2007 21:19:34 -0000 1.223 +++ Slash/Utility/Environment/ 4 Jan 2008 19:14:07 -0000 1.224 @@ -1823,7 +1823,7 @@ # fields that are numeric only my %nums = map {($_ => 1)} qw( - approved artcount art_offset bseclev + approved artcount art_offset bseclev id buymore cid clbig clsmall cm_offset commentlimit commentsort commentspill del displaystatus limit You should also change the passwords for all your admin user accounts. We are working on a more complete writeup of this issue, and we will append it to this story on Monday morning, Jan. 7. Please check back then. This message is also being sent to our slashcode-general mailing list (which all Slash site administrators should be reading). Monday Update: Please see today's story with more information and a new (also small) patch.

Read more of this story at Slashcode.

Update DST Table for 2007


Because of a change in U.S. law in 2005 (and in Canada, where most provinces have followed suit), DST is now a few weeks longer. Which means Slash needs a small update. Here's the SQL line to run (and it will be added to the sql/upgrades file next week). REPLACE INTO dst (region, selectable, start_hour, start_wnum, start_wday, start_month, end_hour, end_wnum, end_wday, end_month) VALUES ('America', 1, 2,  2, 0, 2, 2,  1, 0, 10); Don't forget to run it before DST starts again, at 2 a.m. on the second Sunday in March (March 11 this coming year).

Read more of this story at Slashcode.

R_2_5_0_94 Bugfix


This weekend, a bugfix for R_2_5_0_94 was committed. The commit has been retagged so that a checkout of R_2_5_0_94 will give the fixed code. This is still the version that we recommend for new installs of Slash -- see previous story for details of how to install _94. This fixes the issue that had been reported months ago that we never got around to fixing, namely, of the stray punctuation in slashschema_create.sql: @@ -456,7 +456,7 @@ dkid TINYINT UNSIGNED NOT NULL AUTO_INCREMENT, name VARCHAR(30) NOT NULL DEFAULT '', PRIMARY KEY (dkid), - UNIQUE name (name), + UNIQUE name (name) ) TYPE=InnoDB; # We apologize for this solution taking much, much longer than we'd initially thought. This has been a particularly persistent bug. But we are confident that when the final history of Slash 2.5 is written, it will look like just a comma.

Read more of this story at Slashcode.

R_2_5_0_94 released


As you may know, Slash development for the past several years has all been in CVS, with no tarball releases. We may do a tarball at some point, but for now, we recommend installing the most recent R_ tagged code from CVS. We tag the code with T_ for our own use (on Slashdot, and and when we feel one of those weekly test builds is stable enough, we also slap an R_ tag on it. A complete list of tags can always be found on (in the "Show files using tag" menu). If you are running a site on a very old version of Slash pre-2.2.6, we still recommend that you upgrade to 2.2.6, but the upgrade path beyond that to a recent CVS version will be long and difficult. We recommend you research whether you want to do that. On the other hand, if you have not already invested a lot of time into a Slash site, we strongly recommend that you begin with the most recent R_ tag. Today we made a new R_ tag, our version of Slash from January 11, 2006: R_2_5_0_94. This is the most recent since R_2_5_0_74, which dates from June 2005. The biggest change is CSS, which was implemented just a few weeks after _74. Other changes include reskeys (which largely replace formkeys), and public logtokens (which improve security). So the current recommended process to build Slash is: cvs login (password is blank) cvs co -P -r R_2_5_0_94 slash In the slash directory created, read the INSTALL file (the entire file, especially REQUIREMENTS). Then, if you still want to install Slash, follow the instructions in that file carefully!

Read more of this story at Slashcode.

Preferred Distro for Slash?


Justin Mazzi writes "Those of use eager to install slashcode come across what I would assume to be a common question. What is the best distro for running slashcode? Install seems possible on many different systems, but I'm looking for the best/most compatible." I think once you have the AMP installed the exact flavor of L doesn't much matter, but feel free to share positive/negative experiences.

Read more of this story at Slashcode.

Poll I found this article to be
Very Helpful
Not Helpful
Not Very Helpful
[ Results | Polls ]



Lord Satri writes "Probably the first brand-new slash site using the CSS code, we are pleased to announce the launch of As its name suggests, SlashGISRS target the Geographic Information Systems and Remote Sensing communities. SlashGISRS is a direct sibling of Applied-GIS-RS, a 1000+ members mailing list. Amongst many features offered such as the slash moderation system, slashgisrs is not bloated by ads and is managed by a non-for-profit organization. Read the full announcement here."

Read more of this story at Slashcode.

Poll I found this site to be
Well designed
A personal site
[ Results | Polls ]

Slash + CSS


We've been working for some time now on getting Slash to utilize CSS and also updating it's old crufty HTML while we're at it. We've moved Slash to HTML Strict 4.01. and are currently running on this code. You can take a look at the markup, or log in and take a look around. If you'd like to see what Slashdot might look like you can activate the Slashdot stylesheet on in Firefox by choosing View > Page Style > Slashdot. I'm sure you can do the same thing with other browsers but you're on your own for the specifics of how to do so.

Read more of this story at Slashcode.