| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTimZV3vpj9L1nflsSjLGlLich9i7wgG1-CnWIIUu@mail.gmail.com>
Date: Wed, 12 May 2010 15:11:13 -0400
From: Black Packeteer <black.packeteer@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Drupal storm 1.32
Drupal Storm module is a CRM type module that allows you to make orgs,
people, tasks, and project. It is used on thousands of sites according to
http://drupal.org/project/usage/storm. Storm version 1.32 have a lots of
cross site scripting vulns.
Sploits -
* Make or view a Storm organization at ?q=node/add/stormorganization
* <script>alert('sploit');</script> for the Fullname, address, city, state,
phone, and taxid values
* Save and watch scripts
* Make new person, ?q=node/add/stormperson
* <script>alert('sploit');</script> for the Name, enter and save it
* Make new project at ?q=node/add/stormproject, use anything and save
* Make new task at ?q=node/add/stormtask using this:
* <script>alert('sploit');</script> for Step no. and Title
* Go at ?q=node/add/stormticket
* Change twice the 'Project:' drop-down to see js alerts
* Make new ticket at ?q=node/add/stormticket
* Go to Timetracking screen at ?q=node/add/stormtimetracking
* Change the 'Project:' drop-down to view alerts
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists