lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <002801cbd06c$422caaa0$c103fea9@ml>
Date: Sat, 19 Feb 2011 21:28:36 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: Abuse of Functionality vulnerabilities in Drupal

Hello list!

I want to warn you about Abuse of Functionality vulnerabilities in Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.20 and previous versions.

----------
Details:
----------

Abuse of Functionality (WASC-42):

There is unreliable mechanism of changing password in the system. In user
profile (http://site/user/1/edit) it's possible to change password without
knowing of current password. And even there is protection against CSRF in
the form, this will not protect against Abuse of Functionality.

Because with using of XSS vulnerabilities it's possible to bypass this
protection and conduct remote attack for changing of the password (including
administrator's one). Or at session hijacking via XSS it's possible to get
into account and change the password. Or it's possible to do that at
temporarily access to user's computer, from which he logged in to his
account.

Abuse of Functionality (WASC-42):

Besides two before-mentioned methods (http://websecurity.com.ua/4763/),
there are the next methods for enumerating of logins of the users.

At the forum (http://site/forum) logins of the users show, which posted at
the forum (opened a topic or wrote a comment).

In section Recent posts (http://site/tracker) at pages "All last posts" and
"My posts" logins of the users show, which wrote posts at the site. Attack
is possible to conduct only for logged in users.

In posts of the blog (http://site/content/post), and also in comments to
blog posts and other pages of the site (http://site/page) logins of the
users show, which made a post in blog or made a comment.

In password recovery form (http://site/user/password) it's possible on find
existent logins and e-mails of the users at the site. If to send incorrect
login or e-mail then the message shows "Sorry, ... is not recognized as a
user name or an e-mail address.", and if to send correct login or e-mail,
then this message will not show.

------------
Timeline:
------------

2010.12.20 - announced at my site.
2010.12.21 - informed developers.
2011.02.18 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4776/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ