| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Jun 2011 23:02:31 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Vulnerabilities in Print for Drupal Hello list! I want to warn you about Abuse of Functionality and Insufficient Anti-automation vulnerabilities in Print module for Drupal. ------------------------- Affected products: ------------------------- Vulnerable are versions Print 5.x-4.11, 6.x-1.12, 7.x-1.x-dev and previous versions. ---------- Details: ---------- Abuse of Functionality (WASC-42): Form for sending of content by e-mail (http://site/printmail/1) can be used for sending of spam, at that it's possible to set all main fields (which can be used for spoofing): return address (by changing it in profile), name, e-mail or few e-mails of recipients, subject and text of the message. Also it's possible to select for sending in letter's text the pages made by the user itself, which allows to create spam messages at the site for the following sending of them by e-mail (for maximum control of content of spam-letters). Insufficient Anti-automation (WASC-21): At page for sending of content by e-mail (http://site/printmail/1) there is no protection from automated requests (captcha). Which allows automated sending of spam on arbitrary e-mails. Limit on maximum of 3 messages per hour is bypassing by sending of messages from different IP (even being logged into the same account). Exploit: http://websecurity.com.ua/uploads/2011/Drupal%20Print%20IAA.html And taking into account two Brute Force vulnerabilities in Drupal (lack of the captcha), which I mentioned about earlier, then automated login is possible, which will allow to completely automate this process. Which I wrote about in the article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). ------------ Timeline: ------------ 2011.04.15 - announced at my site. 2011.04.17 - informed developer. 2011.06.30 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5083/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists