Full Disclosure mailing list archives
Drupal storm 1.32
From: Black Packeteer <black.packeteer () gmail com>
Date: Wed, 12 May 2010 15:11:13 -0400
Drupal Storm module is a CRM type module that allows you to make orgs, people, tasks, and project. It is used on thousands of sites according to http://drupal.org/project/usage/storm. Storm version 1.32 have a lots of cross site scripting vulns. Sploits - * Make or view a Storm organization at ?q=node/add/stormorganization * <script>alert('sploit');</script> for the Fullname, address, city, state, phone, and taxid values * Save and watch scripts * Make new person, ?q=node/add/stormperson * <script>alert('sploit');</script> for the Name, enter and save it * Make new project at ?q=node/add/stormproject, use anything and save * Make new task at ?q=node/add/stormtask using this: * <script>alert('sploit');</script> for Step no. and Title * Go at ?q=node/add/stormticket * Change twice the 'Project:' drop-down to see js alerts * Make new ticket at ?q=node/add/stormticket * Go to Timetracking screen at ?q=node/add/stormtimetracking * Change the 'Project:' drop-down to view alerts
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal storm 1.32 Black Packeteer (May 12)