Slashcode Login Vulnerability (Patch Available)
Source: Secutity Protocols
Slash, the code that runs Slashdot and many other web sites, has a cross-site scripting vulnerability in all versions prior to 2.2.5, released February 7, 2002. Users who have JavaScript enabled, and who can be persuaded to click on an attacker's URL on a victim Slash website, will send their Slash cookie, with username and password, to the attacker's website. The attacker can then take over the user's account. If the user is an administrator of the victim Slash website, the attacker can take nearly full control of that site (post and delete stories, edit users, post as other users, etc.).