lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001401cc3760$cb74cf80$9b7a6fd5@ml>
Date: Thu, 30 Jun 2011 23:02:31 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities in Print for Drupal

Hello list!

I want to warn you about Abuse of Functionality and Insufficient
Anti-automation vulnerabilities in Print module for Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are versions Print 5.x-4.11, 6.x-1.12, 7.x-1.x-dev and previous
versions.

----------
Details:
----------

Abuse of Functionality (WASC-42):

Form for sending of content by e-mail (http://site/printmail/1) can be used
for sending of spam, at that it's possible to set all main fields (which can
be used for spoofing): return address (by changing it in profile), name,
e-mail or few e-mails of recipients, subject and text of the message. Also
it's possible to select for sending in letter's text the pages made by the
user itself, which allows to create spam messages at the site for the
following sending of them by e-mail (for maximum control of content of
spam-letters).

Insufficient Anti-automation (WASC-21):

At page for sending of content by e-mail (http://site/printmail/1) there is
no protection from automated requests (captcha). Which allows automated
sending of spam on arbitrary e-mails. Limit on maximum of 3 messages per
hour is bypassing by sending of messages from different IP (even being
logged into the same account).

Exploit:

http://websecurity.com.ua/uploads/2011/Drupal%20Print%20IAA.html

And taking into account two Brute Force vulnerabilities in Drupal (lack of
the captcha), which I mentioned about earlier, then automated login is
possible, which will allow to completely automate this process. Which I
wrote about in the article Attacks on unprotected login forms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).

------------
Timeline:
------------

2011.04.15 - announced at my site.
2011.04.17 - informed developer.
2011.06.30 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5083/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ