[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Default Password not Changed in Install Procedure of Slashcode

Title: Default Password not Changed in Install Procedure of Slashcode
Released by:
Date: 30th September 2000
Printable version: Click here
Slashcode SA-00:00

Topic:          Default Password not Changed in Install Procedure of


Category:       Install

Affects:        All slashcode prior to  2.0-Alpha (bender)

Credits:        Nohican and {} for exploiting.

I. Background

In prior versions of slash there are several issues that one must be

aware of

that are covered in the INSTALL.  One must change the default admin

user/passwd from God/Pete to something else.

Proper setup of Slashcode depends on people reading the INSTALL.

II. Problem description

Because of the slash install and code not having something that forces


admin user to change the password, one may inadvertently be leaving

themselves open to access from the outside by unauthorized users.

III. Impact

Because there are issues in the design of slash prior to rewrite for


someone who has access to an admin account with a seclev of 10,000,

can find ways of executing arbitrary code by inserting a block as the


running the webserver and thereby possibly gaining unauthorized

shell access or access to the database.

As the INSTALL notes, "If you do not change all your passwords, you

almost certainly will get haX0rD."

IV. Workaround

Check to see if you have accounts named God, author or author1 and

that they are not using default passwords. You may also want

to evaluate which accounts have seclev privileges to alter

block data.

V. Solution

We will be releasing a new version of the current main branch

that will no longer have default admin password and will

require you to manually add an admin user.

This issue has been fixed in the development relaese of

slashcode (AKA Bender).


Brian Aker

Slashdot Senior Developer


(C) 1999-2000 All rights reserved.