| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Feb 2011 10:00:35 -0500 From: Justin Klein Keane <justin@...irish.net> To: MustLive <mustlive@...security.com.ua> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, submissions@...ketstormsecurity.org Subject: Re: Abuse of Functionality vulnerabilities in Drupal -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------ Timeline: - ------------ 2009.03.05 - disclosed at http://www.madirish.net/?article=239 2009.03.15 - posted to FD (http://seclists.org/fulldisclosure/2009/Mar/115) 2010.12.20 - MustLive announced at my site. 2010.12.21 - MustLive informed developers. 2011.02.18 - disclosed at MustLive's site. Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 02/19/2011 02:28 PM, MustLive wrote: > Hello list! > > I want to warn you about Abuse of Functionality vulnerabilities in Drupal. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are Drupal 6.20 and previous versions. > > ---------- > Details: > ---------- > > Abuse of Functionality (WASC-42): > > There is unreliable mechanism of changing password in the system. In user > profile (http://site/user/1/edit) it's possible to change password without > knowing of current password. And even there is protection against CSRF in > the form, this will not protect against Abuse of Functionality. > > Because with using of XSS vulnerabilities it's possible to bypass this > protection and conduct remote attack for changing of the password (including > administrator's one). Or at session hijacking via XSS it's possible to get > into account and change the password. Or it's possible to do that at > temporarily access to user's computer, from which he logged in to his > account. > > Abuse of Functionality (WASC-42): > > Besides two before-mentioned methods (http://websecurity.com.ua/4763/), > there are the next methods for enumerating of logins of the users. > > At the forum (http://site/forum) logins of the users show, which posted at > the forum (opened a topic or wrote a comment). > > In section Recent posts (http://site/tracker) at pages "All last posts" and > "My posts" logins of the users show, which wrote posts at the site. Attack > is possible to conduct only for logged in users. > > In posts of the blog (http://site/content/post), and also in comments to > blog posts and other pages of the site (http://site/page) logins of the > users show, which made a post in blog or made a comment. > > In password recovery form (http://site/user/password) it's possible on find > existent logins and e-mails of the users at the site. If to send incorrect > login or e-mail then the message shows "Sorry, ... is not recognized as a > user name or an e-mail address.", and if to send correct login or e-mail, > then this message will not show. > > ------------ > Timeline: > ------------ > > 2010.12.20 - announced at my site. > 2010.12.21 - informed developers. > 2011.02.18 - disclosed at my site. > > I mentioned about these vulnerabilities at my site > (http://websecurity.com.ua/4776/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk1ifhMACgkQkSlsbLsN1gBIGwb/b+4L5kuSZergm1xuNle4JMeC itwiMfMzmFjWFJojO/+h65iKjkVyzVeZdscZHT+yIXIr0C2WpmxoVukALd184gWB t3XfGO0cGche3dqZOcCCMHS6thJREKwSNqilxoYV4Wizmz9C2P9OullXhudRIefp 7CxX/O2U7oJgAbnJNNjUGNPotee4SzFCLdwN4KHXNVrCorVIViIPDMZT2BxU6cct jhp8QFQ5tVXwamdhbA5s+ALnmXc4rvedjYQesrre3c9IAh0IWL/6bYtXcluTDGP7 OJD2Yj5VjnriJSGErsM= =1WaJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists