I think you should make it so people would need to put the 'old' password before choosing the new one. The current way isn't it possible to anyone to change my password just by making me see a page like sla.ckers.org/forum/control.php?password=ilovecheese (just an example)

If i'm wrong please tell me why.
ty

I suppose it's possible. I pretty much assume everyone on this board protects themselves from exploitation, given the subject matter, and it is strictly against the rules of the board to haX0r one another. That link didn't do anything anyway. ;) My password is still X0m8c0*b{ er...

- RSnake
Gotta love it. http://ha.ckers.org

well for the sake of the long term.. it's probably worth adding a current pass check. Not that i'm worried anyone here would try to change my password _-_

Just because car theft is illegal, doesn't mean it's wise to leave them unlocked ..

-maluc

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://sla.ckers.org/forum/control.php&panel=password&forum_id=0&password=haxed&password2=haxed

HAHAHAHA. well done.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

I did not check, but I'm pretty sure it works. My bet is that rsnake was aware of it for a long time, but believed everyone here will obey the rules ;)

Yes, I am/was well aware of it. Ugh... mostly I was hoping I wouldn't have to get off my ass and fix it. I'll have to find some time this week. I hate fixing other people's crappy code.

- RSnake
Gotta love it. http://ha.ckers.org

Security by obscurity at its finest. :-)

Hardly obscured... security by having a very full time day job, a gfnd, a very time consuming part time hobby... eesh! Where do I find the time?

- RSnake
Gotta love it. http://ha.ckers.org

I'm preaty sure you can fix this single "bug" in 5 minutes rsnake but it also should work for email/sig changing, posting etc. So there should be a random identifier for the user session required for every action :F

Someone could do this: make it pm the "hacker" with something so he knows who he has owned, and also change the person email to something so the other person can't retrieve the password :w00t:

--
http://chasenet.org/home/

Actually wouldn't that be an interesting service to provide? Nonces in a secured environment via a third party? Vaguely difficult to implement but could take a lot of the leg work out of it for small companies who don't know how to fix it themselves.

- RSnake
Gotta love it. http://ha.ckers.org

Finally got around to fixing. Simply requires the old password.. as I am too lazy to build in a nonce framework.

-maluc

I don't see the point of this when the site doesnt use encrypted login connections so your password is sent in plain-text so requiring old password to change password is well pointless in my opinion unless its just in place to protect against CSRF.

@CrYpTiC_MauleR: I think that is exactly why the request has been made :). To prevent CSRF.

---
blog [-] microblog

At one point I bought a SSL Cert for this domain, but I forget where I put it...someday, when I get a sysadmin to do shit like that I'll make sla.ckers SSL...

-id

I hear RapidSSL is giving a discount on MD5 signed certs. Hurry on over!

I don't see the point of this when the site doesnt use encrypted login connections so your password is sent in plain-text so requiring old password to change password is well pointless in my opinion.

Make Money From Home Spam



Edited 1 time(s). Last edit at 05/06/2009 10:36PM by thrill.

CSRF? hey check out this blog, (and turn off ur no script) and ignore my hidden iframe to change ur password

i dont know if slackers has csrf protection as i havent tried messing around
so if they do ignore my ramblings

http://www.xssed.com/archive/author=PaPPy/

Trust is a funny thing...

I trust most of you. I don't ask the same back, not that I could do anything.

--
Can you hear them?

So much to learn, so little time...