lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4981E016.3020007@madirish.net>
Date: Thu, 29 Jan 2009 11:57:58 -0500
From: "Justin C. Klein Keane" <justin@...irish.net>
To: Valdis.Kletnieks@...edu, full-disclosure@...ts.grok.org.uk
Subject: Re: Drupal Imagefield Module Multiple
	Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

  in one scenario you allow a Drupal 5.x user to administer content
types - to set up new structures for node content.  This permission
doesn't allow the user to create content, to upload material, or to
interact with the filesystem in any way.  With the Imagefield module
installed this user can move non-image files onto the filesystem.
'Administer content types' privilege only lets a user set up new
structures for content nodes, not create content, or even upload
material to the filesystem, except for the 'default image' used in the
content type.  The flaw allows such a user to upload any number of
files, opening avenues to trigger local file inclusion vulnerabilities,
hosting malware, phishing, etc., etc.  The route to exploitation might
be oblique, but ideally it shouldn't exist at all.

Justin C. Klein Keane
http://www.MadIrish.net

Valdis.Kletnieks@...edu wrote:
> On Thu, 29 Jan 2009 09:15:46 EST, "Justin C. Klein Keane" said:
> 
>> Two flaws exist in this module.  The first flaw allows for an attacker
>> to upload arbitrary files to the filesystem.  The vulnerability allows
>> attackers to upload arbitrary files in place of the 'Default image'
>> specified in the Imagefield specifications for a content type field.
> ....
>> Attackers must be authenticated with an account that has 'administer
>> content types' permissions.
> 
> Umm.. what's the risk here?  Does the flaw allow the attacker to upload
> files that wouldn't be permitted even as the authorized account?  Seems if
> they can administer content types, they can drop pretty much whatever they
> want onto the server (possibly limited as to where in the tree though), and
> all this does is let them drop stuff outside said tree?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSYHgFpEpbGy7DdYAAQJCiQb+IluH+IhHZcvc3wNNsj2OrnZUUpS5jrpR
6inT0K6tExaH/hR2GQ7RzvFgC4iEgaRG6LbjqSC004q0wBrzM4/heS7QUPyL5PN5
uJXefyC/NJQNjKhaZ+0viC6fccwlbO72eTyghe6VzTHYN4IdiMwjB/cV62zZFBeA
n5ZPjqr61e7NGg20dZW7IigpjJjA4YJke2P3naYwKTgns5RY/yMjFYRJr1WA3fXt
0vRXKbERw1RHsgiwHxEAHG8uOgfMF5hncDCpSYw2fvSkIONvEhi5a4wWksHou3VH
SKn2WjZLvT4=
=GiiR
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ