[LWN Logo]
[Timeline]
Date:         Fri, 29 Sep 2000 01:25:09 -0700
Subject:      Default admin password with Slashcode.
To: BUGTRAQ@SECURITYFOCUS.COM

Slashcode SA-00:00

Topic:          Default Password not Changed in Install Procedure of
Slash

Category:       Install
Affects:        All slashcode prior to  2.0-Alpha (bender)

Credits:        Nohican and {} for exploiting.

I. Background

In prior versions of slash there are several issues that one must be aware of
that are covered in the INSTALL.  One must change the default admin
user/passwd from God/Pete to something else.
Proper setup of Slashcode depends on people reading the INSTALL.

II. Problem description

Because of the slash install and code not having something that forces the
admin user to change the password, one may inadvertently be leaving
themselves open to access from the outside by unauthorized users.


III. Impact
Because there are issues in the design of slash prior to rewrite for 2.0,
someone who has access to an admin account with a seclev of 10,000,
can find ways of executing arbitrary code by inserting a block as the user
running the webserver and thereby possibly gaining unauthorized
shell access or access to the database.

As the INSTALL notes, "If you do not change all your passwords, you
almost certainly will get haX0rD."


IV. Workaround

Check to see if you have accounts named God, author or author1 and
that they are not using default passwords. You may also want
to evaluate which accounts have seclev privileges to alter
block data.

V. Solution

We will be releasing a new version of the current main branch
that will no longer have default admin password and will
require you to manually add an admin user.
This issue has been fixed in the development relaese of
slashcode (AKA Bender).

______________________________________________________________________
Brian Aker
Slashdot Senior Developer
http://slashcode.com/