[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Drupal storm 1.32

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Drupal storm 1.32
From: Black Packeteer <black.packeteer@xxxxxxxxx>
Date: Wed, 12 May 2010 15:11:13 -0400

Drupal Storm module is a CRM type module that allows you to make orgs,
people, tasks, and project.  It is used on thousands of sites according to
http://drupal.org/project/usage/storm.  Storm version 1.32 have a lots of
cross site scripting vulns.

Sploits -
*  Make or view a Storm organization at ?q=node/add/stormorganization
*  <script>alert('sploit');</script> for the Fullname, address, city, state,
phone, and taxid values
*  Save and watch scripts

*  Make new person, ?q=node/add/stormperson
*  <script>alert('sploit');</script> for the Name, enter and save it
*  Make new project at ?q=node/add/stormproject, use anything and save
*  Make new task at ?q=node/add/stormtask using this:
*  <script>alert('sploit');</script> for Step no. and Title
*  Go at ?q=node/add/stormticket
*  Change twice the 'Project:' drop-down to see js alerts

*  Make new ticket at ?q=node/add/stormticket
*  Go to Timetracking screen at ?q=node/add/stormtimetracking
*  Change the 'Project:' drop-down to view alerts

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ MDVSA-2010:094 ] tetex
Next by Date: [Full-disclosure] [ MDVSA-2010:095 ] libxext
Previous by thread: [Full-disclosure] [ MDVSA-2010:094 ] tetex
Next by thread: [Full-disclosure] [ MDVSA-2010:095 ] libxext
Index(es):
- Date
- Thread