lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTimfwmP3mdNRbBV7QtsR=4=-8tu75d9sZRR89bPm@mail.gmail.com> Date: Mon, 21 Feb 2011 23:11:14 +0800 From: tc <toughcrowd@...il.com> To: Justin Klein Keane <justin@...irish.net> Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua>, bugtraq@...urityfocus.com, submissions@...ketstormsecurity.org Subject: Re: Abuse of Functionality vulnerabilities in Drupal ------------- Timeline: ------------- 2009.03.05 - disclosed at http://www.madirish.net/?article=239 2009.03.15 - posted to FD (http://seclists.org/fulldisclosure/2009/Mar/115) 2009.03.15 - 2010.12.20 - No one gave a fuck 2010.12.20 - MustLive announced at my site. 2010.12.21 - MustLive informed developers. 2011.02.18 - disclosed at MustLive's site. 2011.02.18 - current - Everyone continued to not give a fuck On Mon, Feb 21, 2011 at 11:00 PM, Justin Klein Keane <justin@...irish.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------ > Timeline: > - ------------ > > 2009.03.05 - disclosed at http://www.madirish.net/?article=239 > 2009.03.15 - posted to FD (http://seclists.org/fulldisclosure/2009/Mar/115) > 2010.12.20 - MustLive announced at my site. > 2010.12.21 - MustLive informed developers. > 2011.02.18 - disclosed at MustLive's site. > > Justin C. Klein Keane > http://www.MadIrish.net > > The digital signature on this message can be confirmed > using the public key at http://www.madirish.net/gpgkey > > On 02/19/2011 02:28 PM, MustLive wrote: >> Hello list! >> >> I want to warn you about Abuse of Functionality vulnerabilities in Drupal. >> >> ------------------------- >> Affected products: >> ------------------------- >> >> Vulnerable are Drupal 6.20 and previous versions. >> >> ---------- >> Details: >> ---------- >> >> Abuse of Functionality (WASC-42): >> >> There is unreliable mechanism of changing password in the system. In user >> profile (http://site/user/1/edit) it's possible to change password without >> knowing of current password. And even there is protection against CSRF in >> the form, this will not protect against Abuse of Functionality. >> >> Because with using of XSS vulnerabilities it's possible to bypass this >> protection and conduct remote attack for changing of the password (including >> administrator's one). Or at session hijacking via XSS it's possible to get >> into account and change the password. Or it's possible to do that at >> temporarily access to user's computer, from which he logged in to his >> account. >> >> Abuse of Functionality (WASC-42): >> >> Besides two before-mentioned methods (http://websecurity.com.ua/4763/), >> there are the next methods for enumerating of logins of the users. >> >> At the forum (http://site/forum) logins of the users show, which posted at >> the forum (opened a topic or wrote a comment). >> >> In section Recent posts (http://site/tracker) at pages "All last posts" and >> "My posts" logins of the users show, which wrote posts at the site. Attack >> is possible to conduct only for logged in users. >> >> In posts of the blog (http://site/content/post), and also in comments to >> blog posts and other pages of the site (http://site/page) logins of the >> users show, which made a post in blog or made a comment. >> >> In password recovery form (http://site/user/password) it's possible on find >> existent logins and e-mails of the users at the site. If to send incorrect >> login or e-mail then the message shows "Sorry, ... is not recognized as a >> user name or an e-mail address.", and if to send correct login or e-mail, >> then this message will not show. >> >> ------------ >> Timeline: >> ------------ >> >> 2010.12.20 - announced at my site. >> 2010.12.21 - informed developers. >> 2011.02.18 - disclosed at my site. >> >> I mentioned about these vulnerabilities at my site >> (http://websecurity.com.ua/4776/). >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iPwEAQECAAYFAk1ifhMACgkQkSlsbLsN1gBIGwb/b+4L5kuSZergm1xuNle4JMeC > itwiMfMzmFjWFJojO/+h65iKjkVyzVeZdscZHT+yIXIr0C2WpmxoVukALd184gWB > t3XfGO0cGche3dqZOcCCMHS6thJREKwSNqilxoYV4Wizmz9C2P9OullXhudRIefp > 7CxX/O2U7oJgAbnJNNjUGNPotee4SzFCLdwN4KHXNVrCorVIViIPDMZT2BxU6cct > jhp8QFQ5tVXwamdhbA5s+ALnmXc4rvedjYQesrre3c9IAh0IWL/6bYtXcluTDGP7 > OJD2Yj5VjnriJSGErsM= > =1WaJ > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists