| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 May 2010 08:59:06 -0400 From: "Justin C. Klein Keane" <justin@...irish.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: Drupal Context Module XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's an interesting question. Drupal has many different privileges that include the word 'administer' but Drupal security considers a handful of them to be so powerful that vulnerabilities requiring those privileges are not considered vulnerabilities (zen moment: when is a vuln not a vuln?) (Ref: http://drupal.org/node/475848). I always conceived of Drupal as a multi-user system that delegated privilege. However, if every privilege could lead to full system access then there really isn't any point in subdividing privilege. On a small site with only a couple of admins (like a personal blog) this isn't really an issue. When the problem happens to be on an enterprise system then it is probably more of an issue. Although labeled as XSS, many of the vulnerabilities I find in Drupal could probably be more accurately defined as "privilege escalation via XSS" vulnerabilities. If you're the only admin then it doesn't matter, but if any of the 30 "editor" accounts can be used to escalate to admin and write arbitrary PHP then you've got big problems. Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 05/11/2010 01:33 AM, Andrew Farmer wrote: > On 10 May 2010, at 06:08, Justin C. Klein Keane wrote: >> Drupal security responds that they do not coordinate security fixes for >> modules in release candidate designation. Vulnerability was reported to >> the module maintainer via the public issue queue at the direction of >> Drupal security. > > Also, isn't it pretty well established by this point that Drupal generally doesn't consider XSS to be a vulnerability if you need an admin account to trigger it? > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkvpVJoACgkQkSlsbLsN1gDnkAb/QRCF32FjzaZXoL/SQdVmHqDX 9hSwTXAbFxdVsxGN9VsGVMb646yHR/77yhQT6/SPTpEWwFWnu9uVxpCD5IojcVM8 po7mkfGFZjhg2ygi/8YVQpALYGH/XJ65ZoPdHuBGA/pCHRUN1ScfmmSTJuxa4Whj N/yvqFNA0FUQakqCfXNwcoWoAV2HXXodCdm8HX7IgIA1fCpE8U2aOigFxNaNT/1y SsAfqzVAp7yZAP1tp7Uz5ouoVsfsiVkQbh11z2z+zzRwob4wADdtynV4EUdhmRdq zzwf5lQVUqWI3QRQEMc= =VcjZ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists