Abuse of Functionality vulnerabilities in Drupal

["MustLive" <mustlive () websecurity com ua>]

Hello list!

I want to warn you about Abuse of Functionality vulnerabilities in Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.20 and previous versions.

----------
Details:
----------

Abuse of Functionality (WASC-42):

There is unreliable mechanism of changing password in the system. In user
profile (http://site/user/1/edit) it's possible to change password without
knowing of current password. And even there is protection against CSRF in
the form, this will not protect against Abuse of Functionality.

Because with using of XSS vulnerabilities it's possible to bypass this
protection and conduct remote attack for changing of the password (including
administrator's one). Or at session hijacking via XSS it's possible to get
into account and change the password. Or it's possible to do that at
temporarily access to user's computer, from which he logged in to his
account.

Abuse of Functionality (WASC-42):

Besides two before-mentioned methods (http://websecurity.com.ua/4763/),
there are the next methods for enumerating of logins of the users.

At the forum (http://site/forum) logins of the users show, which posted at
the forum (opened a topic or wrote a comment).

In section Recent posts (http://site/tracker) at pages "All last posts" and
"My posts" logins of the users show, which wrote posts at the site. Attack
is possible to conduct only for logged in users.

In posts of the blog (http://site/content/post), and also in comments to
blog posts and other pages of the site (http://site/page) logins of the
users show, which made a post in blog or made a comment.

In password recovery form (http://site/user/password) it's possible on find
existent logins and e-mails of the users at the site. If to send incorrect
login or e-mail then the message shows "Sorry, ... is not recognized as a
user name or an e-mail address.", and if to send correct login or e-mail,
then this message will not show.

------------
Timeline:
------------

2010.12.20 - announced at my site.
2010.12.21 - informed developers.
2011.02.18 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4776/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/