lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <a48fd1f4-9973-42b6-827d-8af7cff4d96f@email.android.com>
Date: Tue, 11 May 2010 07:25:32 -0400
From: "Justin C. Klein Keane" <jkleinkeane@...il.com>
To: Andrew Farmer <andfarm@...il.com>,
	"Justin C.Klein Keane" <justin@...irish.net>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Drupal Context Module XSS

No, there are various types of admin privileges, such as admin bloocks, admin views, andmin content types and admin users.  On large sites it is common to divide up these privileges to various user groups.  Some are more powerful than others.  Admin blocks is generally used for layout and is not considered as powerful as, say, admin users.  XSS is particularly dangerous in Drupal because it can be used to launch XSRF that bypasses Drupals XSRF defenses.  Using XSS you can silently reset the super user password (which has all privs including the ability to craft PHP).  So, you could use XSS to attack site users or site admins.

"Andrew Farmer" <andfarm@...il.com> wrote:

>On 10 May 2010, at 06:08, Justin C. Klein Keane wrote:
>> Drupal security responds that they do not coordinate security fixes for
>> modules in release candidate designation.  Vulnerability was reported to
>> the module maintainer via the public issue queue at the direction of
>> Drupal security.
>
>Also, isn't it pretty well established by this point that Drupal generally doesn't consider XSS to be a vulnerability if you need an admin account to trigger it?
-- 
Justin Klein Keane
http://www.MadIrish.net
Sent from my Android please excuse any brevity.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ