Author: JT Smith
From Net-Security.org: “The implementation of private notes on plastic.com’s
Slashcode-driven site is insecure. Any logged in user can
view any message in the system.
Slashcode-driven site is insecure. Any logged in user can
view any message in the system.
Description:
After logging into the site as a user,
http://www.plastic.com/message.pl?op=read&m_id=9999
(where m_id= a given message’s ID) will display the
message, even if you weren’t the user that the message
was sent to.”
Category:
- Linux