| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <002801cbd06c$422caaa0$c103fea9@ml> Date: Sat, 19 Feb 2011 21:28:36 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com> Subject: Abuse of Functionality vulnerabilities in Drupal Hello list! I want to warn you about Abuse of Functionality vulnerabilities in Drupal. ------------------------- Affected products: ------------------------- Vulnerable are Drupal 6.20 and previous versions. ---------- Details: ---------- Abuse of Functionality (WASC-42): There is unreliable mechanism of changing password in the system. In user profile (http://site/user/1/edit) it's possible to change password without knowing of current password. And even there is protection against CSRF in the form, this will not protect against Abuse of Functionality. Because with using of XSS vulnerabilities it's possible to bypass this protection and conduct remote attack for changing of the password (including administrator's one). Or at session hijacking via XSS it's possible to get into account and change the password. Or it's possible to do that at temporarily access to user's computer, from which he logged in to his account. Abuse of Functionality (WASC-42): Besides two before-mentioned methods (http://websecurity.com.ua/4763/), there are the next methods for enumerating of logins of the users. At the forum (http://site/forum) logins of the users show, which posted at the forum (opened a topic or wrote a comment). In section Recent posts (http://site/tracker) at pages "All last posts" and "My posts" logins of the users show, which wrote posts at the site. Attack is possible to conduct only for logged in users. In posts of the blog (http://site/content/post), and also in comments to blog posts and other pages of the site (http://site/page) logins of the users show, which made a post in blog or made a comment. In password recovery form (http://site/user/password) it's possible on find existent logins and e-mails of the users at the site. If to send incorrect login or e-mail then the message shows "Sorry, ... is not recognized as a user name or an e-mail address.", and if to send correct login or e-mail, then this message will not show. ------------ Timeline: ------------ 2010.12.20 - announced at my site. 2010.12.21 - informed developers. 2011.02.18 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4776/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists