Anyone aware of this being abused in the wild? On Mon, Feb 21, 2011 at 3:11 PM, tc <[email protected]> wrote:
> ------------- > Timeline: > ------------- > > 2009.03.05 - disclosed at http://www.madirish.net/?article=239 > 2009.03.15 - posted to FD (http://seclists.org/fulldisclosure/2009/Mar/115 > ) > 2009.03.15 - 2010.12.20 - No one gave a fuck > 2010.12.20 - MustLive announced at my site. > 2010.12.21 - MustLive informed developers. > 2011.02.18 - disclosed at MustLive's site. > 2011.02.18 - current - Everyone continued to not give a fuck > > > > On Mon, Feb 21, 2011 at 11:00 PM, Justin Klein Keane > <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > - ------------ > > Timeline: > > - ------------ > > > > 2009.03.05 - disclosed at http://www.madirish.net/?article=239 > > 2009.03.15 - posted to FD ( > http://seclists.org/fulldisclosure/2009/Mar/115) > > 2010.12.20 - MustLive announced at my site. > > 2010.12.21 - MustLive informed developers. > > 2011.02.18 - disclosed at MustLive's site. > > > > Justin C. Klein Keane > > http://www.MadIrish.net > > > > The digital signature on this message can be confirmed > > using the public key at http://www.madirish.net/gpgkey > > > > On 02/19/2011 02:28 PM, MustLive wrote: > >> Hello list! > >> > >> I want to warn you about Abuse of Functionality vulnerabilities in > Drupal. > >> > >> ------------------------- > >> Affected products: > >> ------------------------- > >> > >> Vulnerable are Drupal 6.20 and previous versions. > >> > >> ---------- > >> Details: > >> ---------- > >> > >> Abuse of Functionality (WASC-42): > >> > >> There is unreliable mechanism of changing password in the system. In > user > >> profile (http://site/user/1/edit) it's possible to change password > without > >> knowing of current password. And even there is protection against CSRF > in > >> the form, this will not protect against Abuse of Functionality. > >> > >> Because with using of XSS vulnerabilities it's possible to bypass this > >> protection and conduct remote attack for changing of the password > (including > >> administrator's one). Or at session hijacking via XSS it's possible to > get > >> into account and change the password. Or it's possible to do that at > >> temporarily access to user's computer, from which he logged in to his > >> account. > >> > >> Abuse of Functionality (WASC-42): > >> > >> Besides two before-mentioned methods (http://websecurity.com.ua/4763/), > >> there are the next methods for enumerating of logins of the users. > >> > >> At the forum (http://site/forum) logins of the users show, which posted > at > >> the forum (opened a topic or wrote a comment). > >> > >> In section Recent posts (http://site/tracker) at pages "All last posts" > and > >> "My posts" logins of the users show, which wrote posts at the site. > Attack > >> is possible to conduct only for logged in users. > >> > >> In posts of the blog (http://site/content/post), and also in comments > to > >> blog posts and other pages of the site (http://site/page) logins of the > >> users show, which made a post in blog or made a comment. > >> > >> In password recovery form (http://site/user/password) it's possible on > find > >> existent logins and e-mails of the users at the site. If to send > incorrect > >> login or e-mail then the message shows "Sorry, ... is not recognized as > a > >> user name or an e-mail address.", and if to send correct login or > e-mail, > >> then this message will not show. > >> > >> ------------ > >> Timeline: > >> ------------ > >> > >> 2010.12.20 - announced at my site. > >> 2010.12.21 - informed developers. > >> 2011.02.18 - disclosed at my site. > >> > >> I mentioned about these vulnerabilities at my site > >> (http://websecurity.com.ua/4776/). > >> > >> Best wishes & regards, > >> MustLive > >> Administrator of Websecurity web site > >> http://websecurity.com.ua > >> > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.11 (GNU/Linux) > > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > > > iPwEAQECAAYFAk1ifhMACgkQkSlsbLsN1gBIGwb/b+4L5kuSZergm1xuNle4JMeC > > itwiMfMzmFjWFJojO/+h65iKjkVyzVeZdscZHT+yIXIr0C2WpmxoVukALd184gWB > > t3XfGO0cGche3dqZOcCCMHS6thJREKwSNqilxoYV4Wizmz9C2P9OullXhudRIefp > > 7CxX/O2U7oJgAbnJNNjUGNPotee4SzFCLdwN4KHXNVrCorVIViIPDMZT2BxU6cct > > jhp8QFQ5tVXwamdhbA5s+ALnmXc4rvedjYQesrre3c9IAh0IWL/6bYtXcluTDGP7 > > OJD2Yj5VjnriJSGErsM= > > =1WaJ > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
