lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 16 Feb 2010 10:06:53 -0500
From: Martin Barbella <barbella@....upenn.edu>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Information disclosure vulnerability in Drupal's Realname User Reference
 Widget contributed module (version 6.x-1.0)

Information disclosure vulnerability in Drupal's Realname User Reference
Widget contributed module (version 6.x-1.0)
 
Discovered by Martin Barbella <barbella@....upenn.edu>
 
Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide variety
of content on a website (http://drupal.org/about).
 
The Realname CCK User Reference Widget module adds a new widget to the
User Reference CCK field type that uses the Realnames for autocompletion
(http://drupal.org/project/realname_userreference).
 
Only the access content permission is needed to access the page which
displays the user names and real names for users, used by the
autocompletion widget, resulting in an information disclosure
vulnerability.
 
Systems affected:
-----------------
This has been confirmed in version 6.x-1.0 of the Realname User
Reference Widget module.
 
Impact:
-------
This would allow an attacker to collect user names for brute force
attacks, or real names of users for targeted phishing.
 
Mitigating factors:
-------------------
A user must have the access content permission to exploit this
vulnerability, though in most cases even anonymous users would have this
permission.
 
Proof of concept:
-----------------
1. Install the module and its dependencies
2. Configure Realname
3. As any user with access content, visit
realnameuserreference/autocomplete or
realnameuserreference/autocomplete/<search terms>
4. Note that real names and usernames can be gathered from the output
 
Timeline:
---------
2010-02-01 - Drupal Security notified
2010-02-16 - Still no response from Drupal Security
2010-02-16 - Public disclosure

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ