lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 11 May 2010 08:59:06 -0400
From: "Justin C. Klein Keane" <>
Subject: Re: Drupal Context Module XSS

Hash: SHA1

It's an interesting question.  Drupal has many different privileges that
include the word 'administer' but Drupal security considers a handful of
them to be so powerful that vulnerabilities requiring those privileges
are not considered vulnerabilities (zen moment: when is a vuln not a
vuln?) (Ref:  I always conceived of
Drupal as a multi-user system that delegated privilege.  However, if
every privilege could lead to full system access then there really isn't
any point in subdividing privilege.  On a small site with only a couple
of admins (like a personal blog) this isn't really an issue.  When the
problem happens to be on an enterprise system then it is probably more
of an issue.  Although labeled as XSS, many of the vulnerabilities I
find in Drupal could probably be more accurately defined as "privilege
escalation via XSS" vulnerabilities.  If you're the only admin then it
doesn't matter, but if any of the 30 "editor" accounts can be used to
escalate to admin and write arbitrary PHP then you've got big problems.

Justin C. Klein Keane

The digital signature on this message can be confirmed
using the public key at

On 05/11/2010 01:33 AM, Andrew Farmer wrote:
> On 10 May 2010, at 06:08, Justin C. Klein Keane wrote:
>> Drupal security responds that they do not coordinate security fixes for
>> modules in release candidate designation.  Vulnerability was reported to
>> the module maintainer via the public issue queue at the direction of
>> Drupal security.
> Also, isn't it pretty well established by this point that Drupal generally doesn't consider XSS to be a vulnerability if you need an admin account to trigger it?
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora -


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists