September 8, 2001

Insecure handling of notes in's Slashcode

Author: JT Smith

From "The implementation of private notes on's
Slashcode-driven site is insecure. Any logged in user can
view any message in the system.

After logging into the site as a user,
(where m_id= a given message's ID) will display the
message, even if you weren't the user that the message
was sent to."


  • Linux
Click Here!