Full Disclosure mailing list archives
Re: Abuse of Functionality vulnerabilities in Drupal
From: tc <toughcrowd () gmail com>
Date: Mon, 21 Feb 2011 23:11:14 +0800
------------- Timeline: ------------- 2009.03.05 - disclosed at http://www.madirish.net/?article=239 2009.03.15 - posted to FD (http://seclists.org/fulldisclosure/2009/Mar/115) 2009.03.15 - 2010.12.20 - No one gave a fuck 2010.12.20 - MustLive announced at my site. 2010.12.21 - MustLive informed developers. 2011.02.18 - disclosed at MustLive's site. 2011.02.18 - current - Everyone continued to not give a fuck On Mon, Feb 21, 2011 at 11:00 PM, Justin Klein Keane <justin () madirish net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------ Timeline: - ------------ 2009.03.05 - disclosed at http://www.madirish.net/?article=239 2009.03.15 - posted to FD (http://seclists.org/fulldisclosure/2009/Mar/115) 2010.12.20 - MustLive announced at my site. 2010.12.21 - MustLive informed developers. 2011.02.18 - disclosed at MustLive's site. Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 02/19/2011 02:28 PM, MustLive wrote:Hello list! I want to warn you about Abuse of Functionality vulnerabilities in Drupal. ------------------------- Affected products: ------------------------- Vulnerable are Drupal 6.20 and previous versions. ---------- Details: ---------- Abuse of Functionality (WASC-42): There is unreliable mechanism of changing password in the system. In user profile (http://site/user/1/edit) it's possible to change password without knowing of current password. And even there is protection against CSRF in the form, this will not protect against Abuse of Functionality. Because with using of XSS vulnerabilities it's possible to bypass this protection and conduct remote attack for changing of the password (including administrator's one). Or at session hijacking via XSS it's possible to get into account and change the password. Or it's possible to do that at temporarily access to user's computer, from which he logged in to his account. Abuse of Functionality (WASC-42): Besides two before-mentioned methods (http://websecurity.com.ua/4763/), there are the next methods for enumerating of logins of the users. At the forum (http://site/forum) logins of the users show, which posted at the forum (opened a topic or wrote a comment). In section Recent posts (http://site/tracker) at pages "All last posts" and "My posts" logins of the users show, which wrote posts at the site. Attack is possible to conduct only for logged in users. In posts of the blog (http://site/content/post), and also in comments to blog posts and other pages of the site (http://site/page) logins of the users show, which made a post in blog or made a comment. In password recovery form (http://site/user/password) it's possible on find existent logins and e-mails of the users at the site. If to send incorrect login or e-mail then the message shows "Sorry, ... is not recognized as a user name or an e-mail address.", and if to send correct login or e-mail, then this message will not show. ------------ Timeline: ------------ 2010.12.20 - announced at my site. 2010.12.21 - informed developers. 2011.02.18 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4776/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk1ifhMACgkQkSlsbLsN1gBIGwb/b+4L5kuSZergm1xuNle4JMeC itwiMfMzmFjWFJojO/+h65iKjkVyzVeZdscZHT+yIXIr0C2WpmxoVukALd184gWB t3XfGO0cGche3dqZOcCCMHS6thJREKwSNqilxoYV4Wizmz9C2P9OullXhudRIefp 7CxX/O2U7oJgAbnJNNjUGNPotee4SzFCLdwN4KHXNVrCorVIViIPDMZT2BxU6cct jhp8QFQ5tVXwamdhbA5s+ALnmXc4rvedjYQesrre3c9IAh0IWL/6bYtXcluTDGP7 OJD2Yj5VjnriJSGErsM= =1WaJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Abuse of Functionality vulnerabilities in Drupal MustLive (Feb 19)
- Re: Abuse of Functionality vulnerabilities in Drupal Justin Klein Keane (Feb 21)
- Re: Abuse of Functionality vulnerabilities in Drupal tc (Feb 21)
- Re: Abuse of Functionality vulnerabilities in Drupal Cal Leeming [Simplicity Media Ltd] (Feb 21)
- Re: Abuse of Functionality vulnerabilities in Drupal Justin Klein Keane (Feb 21)
- Re: Abuse of Functionality vulnerabilities in Drupal tc (Feb 21)
- Re: Abuse of Functionality vulnerabilities in Drupal Justin Klein Keane (Feb 21)