| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2011 21:29:20 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: XSS and AoF vulnerabilities in Drupal Hello list! I want to warn you about Cross-Site Scripting and Brute Force vulnerabilities in Drupal. ------------------------- Affected products: ------------------------- Vulnerable are Drupal 6.22 and previous versions. Taking into account that developers didn't fixed these holes, then versions 7.x also must be vulnerable. ---------- Details: ---------- XSS (WASC-08): At pages with forms (i.e. at comment page http://site/comment/reply/1, as add data forms, as edit data forms), which are protected by token from CSRF, it's possible to conduct reflected XSS attack. Even without need to know form_token. The hole is similar to previous XSS, but in this case it's reflected XSS (not persistent), much more forms are affected (code will execute not only at edit forms, but also at add forms) and there is no need to know form_token. The attack is conducting on any forms with turned on FCKeditor/CKeditor. Such attack can be conducted and on forms with TinyMCE - I wrote already about such vulnerabilities in PHP-Nuke via TinyMCE (http://packetstormsecurity.org/files/view/99162/phpnuke-iaaxss.txt). If it's edit data form, then the attack can be conducted only on logged-in user which is an owner of this account (who posted this comment, etc.) or on admin of the site. And if it's add data form (i.e. comment), then it's possible to conduct attacks on admin and any logged-in users. Attacking code can be in parameter comment, body or other parameter depending on the form. Exploit: http://websecurity.com.ua/uploads/2011/Drupal%20XSS.html Brute Force (WASC-11): In login form in sidebar, which is placed at any external page of the site (http://site/node), there is no reliable protection against brute force attacks. There is no captcha in Drupal itself, and existent Captcha module (and also all plugins for it, such as reCAPTCHA) is vulnerable, as I wrote already (http://websecurity.com.ua/4763/). Exploit is differ from previous BF: if in previous Brute Force vulnerability form_id equal user_login, then in this one form_id equal user_login_block. ------------ Timeline: ------------ 2010.12.11 - when I informed developers about previous multiple vulnerabilities in Drupal, I told them briefly about these holes. 2011.04.13 - announced at my site. 2011.04.14 - informed developers. 2011.06.25 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5077/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists