Re: Abuse of Functionality vulnerabilities in Drupal

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drupal's dev team gave enough of a fuck to fix the issue in Drupal 7
(http://drupal.org/node/86299).  I am not aware of any evidence of this
flaw being exploited in the wild, however, with high profile, state
sponsored, sites like WhiteHouse.gov running Drupal it is reasonable to
assume that any flaw in Drupal, no matter how small, is going to receive
attention.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 02/21/2011 10:15 AM, Cal Leeming [Simplicity Media Ltd] wrote:
> Anyone aware of this being abused in the wild?
>
> On Mon, Feb 21, 2011 at 3:11 PM, tc <toughcrowd () gmail com
> <mailto:toughcrowd () gmail com>> wrote:
>
>     -------------
>      Timeline:
>     -------------
>
>     2009.03.05 - disclosed at http://www.madirish.net/?article=239
>     2009.03.15 - posted to FD
>     (http://seclists.org/fulldisclosure/2009/Mar/115)
>     2009.03.15 - 2010.12.20 - No one gave a fuck
>     2010.12.20 - MustLive announced at my site.
>     2010.12.21 - MustLive informed developers.
>     2011.02.18 - disclosed at MustLive's site.
>     2011.02.18 - current - Everyone continued to not give a fuck
>
>
>
>     On Mon, Feb 21, 2011 at 11:00 PM, Justin Klein Keane
>     <justin () madirish net <mailto:justin () madirish net>> wrote:
> ------------
> Timeline:
> ------------
>
> 2009.03.05 - disclosed at http://www.madirish.net/?article=239
> 2009.03.15 - posted to FD
> >     (http://seclists.org/fulldisclosure/2009/Mar/115)
> 2010.12.20 - MustLive announced at my site.
> 2010.12.21 - MustLive informed developers.
> 2011.02.18 - disclosed at MustLive's site.
>
> Justin C. Klein Keane
> http://www.MadIrish.net
>
> The digital signature on this message can be confirmed
> using the public key at http://www.madirish.net/gpgkey
>
> On 02/19/2011 02:28 PM, MustLive wrote:
> >     >> Hello list!
> >     >>
> >     >> I want to warn you about Abuse of Functionality vulnerabilities
> >     in Drupal.
> >     >>
> >     >> -------------------------
> >     >> Affected products:
> >     >> -------------------------
> >     >>
> >     >> Vulnerable are Drupal 6.20 and previous versions.
> >     >>
> >     >> ----------
> >     >> Details:
> >     >> ----------
> >     >>
> >     >> Abuse of Functionality (WASC-42):
> >     >>
> >     >> There is unreliable mechanism of changing password in the system.
> >     In user
> >     >> profile (http://site/user/1/edit) it's possible to change
> >     password without
> >     >> knowing of current password. And even there is protection against
> >     CSRF in
> >     >> the form, this will not protect against Abuse of Functionality.
> >     >>
> >     >> Because with using of XSS vulnerabilities it's possible to bypass
> >     this
> >     >> protection and conduct remote attack for changing of the password
> >     (including
> >     >> administrator's one). Or at session hijacking via XSS it's
> >     possible to get
> >     >> into account and change the password. Or it's possible to do that at
> >     >> temporarily access to user's computer, from which he logged in to his
> >     >> account.
> >     >>
> >     >> Abuse of Functionality (WASC-42):
> >     >>
> >     >> Besides two before-mentioned methods
> >     (http://websecurity.com.ua/4763/),
> >     >> there are the next methods for enumerating of logins of the users.
> >     >>
> >     >> At the forum (http://site/forum) logins of the users show, which
> >     posted at
> >     >> the forum (opened a topic or wrote a comment).
> >     >>
> >     >> In section Recent posts (http://site/tracker) at pages "All last
> >     posts" and
> >     >> "My posts" logins of the users show, which wrote posts at the
> >     site. Attack
> >     >> is possible to conduct only for logged in users.
> >     >>
> >     >> In posts of the blog (http://site/content/post), and also in
> >     comments to
> >     >> blog posts and other pages of the site (http://site/page) logins
> >     of the
> >     >> users show, which made a post in blog or made a comment.
> >     >>
> >     >> In password recovery form (http://site/user/password) it's
> >     possible on find
> >     >> existent logins and e-mails of the users at the site. If to send
> >     incorrect
> >     >> login or e-mail then the message shows "Sorry, ... is not
> >     recognized as a
> >     >> user name or an e-mail address.", and if to send correct login or
> >     e-mail,
> >     >> then this message will not show.
> >     >>
> >     >> ------------
> >     >> Timeline:
> >     >> ------------
> >     >>
> >     >> 2010.12.20 - announced at my site.
> >     >> 2010.12.21 - informed developers.
> >     >> 2011.02.18 - disclosed at my site.
> >     >>
> >     >> I mentioned about these vulnerabilities at my site
> >     >> (http://websecurity.com.ua/4776/).
> >     >>
> >     >> Best wishes & regards,
> >     >> MustLive
> >     >> Administrator of Websecurity web site
> >     >> http://websecurity.com.ua
> >     >>
> >     >>
> >     >> _______________________________________________
> >     >> Full-Disclosure - We believe in it.
> >     >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >     >> Hosted and sponsored by Secunia - http://secunia.com/
>     >
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
>     >

>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk1ijk0ACgkQkSlsbLsN1gDH3Ab/RoET2uJHrTf2gF0sBKds//Mj
W8iEpWK2TC6Zdu3R8i/z3b3E+9GssBkyKTANuaInN2hLlgX75WU15XPB69iRMiGj
c6Gd4BUjF5pHcZSl5LWtfnRjlRLLYCDhGWxZ0983W0iNkVggd9O+qGHWk8jSC6Sk
UzpZdxOD0PFceV0GR/jNVphFj9LjRLM/uqxo2VS9hg0M5WWRWRkIulL9Rju2H1L8
87Tu3avXf7hFL9ZOFlomks5/+6bcRteuMGcsDFHlQ4Y2MfOHkN91NgpL7aD6YssY
LX/yR698jEnnA3Eo7io=
=j8Em
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/