September 8, 2001

Insecure handling of notes in Plastic.com's Slashcode

Author: JT Smith

From Net-Security.org: "The implementation of private notes on plastic.com's
Slashcode-driven site is insecure. Any logged in user can
view any message in the system.

Description:
After logging into the site as a user,
http://www.plastic.com/message.pl?op=read&m_id=9999
(where m_id= a given message's ID) will display the
message, even if you weren't the user that the message
was sent to."

Category:

  • Linux
Click Here!