| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jan 2011 12:35:43 -0500 From: Justin Klein Keane <justin@...irish.net> To: YGN Ethical Hacker Group <lists@...g.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think I should also point out that I disclosed these vulnerabilities starting in May of 2009 (http://www.madirish.net/?article=256, and similarly http://www.madirish.net/?article=429) and went through this same discussion already. Justin Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 01/13/2011 11:40 PM, YGN Ethical Hacker Group wrote: > On Fri, Jan 14, 2011 at 4:28 AM, Justin Klein Keane <justin@...irish.net> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Drupal security has been aware of this issue for quite some time now. >> But basically, as their response indicates, you need admin access to >> exploit these issues. However, if you have admin access you can execute >> PHP and basically do anything you want. Your vulnerability hinges on >> being able to bypass the CSRF security in place in Drupal. Seems like a >> bit of a stretch to release this as an advisory. Why not include the >> fact that if you can bypass the CSRF detection you can also execute >> arbitrary code with the privileges of the web server? >> > > > > "If you 0wn a server, you 0wn one machine" > > "If you 0wn clients, you 0wn thousands of machine". > > > http://cyberinsecure.com/?s=iframe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk0wiW8ACgkQkSlsbLsN1gCVogb/UblV3d/Cr/IjEw2iDImjRJ7i tBwbNXt4TTKsgvjmTeR2kpy+KfVlJbF3z/+bozPhXokE0x8pN3ZsSq/Y+fymkeIh ZQEc3JqibK3ouydisVB/mr9+K/Uu9Ob4z4povbhf+LaOT/LcoNOsLGdQBkopqEaO uGxWAVJy9h4OrQmEcnK6epQLk41ho32woLveAarl/bKEiYouaxSNVFXEFt8Shsgg Is4EBraRnezS2KreRobYNYyMXveC0WBIPR3OLTxVC8Eq050c7yp9pwYLy5Jx1AcM P5LYv2smfmiQhhU8jrY= =/g0a -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists