[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability

To: YGN Ethical Hacker Group <lists@xxxxxxxx>
Subject: Re: [Full-disclosure] Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability
From: Justin Klein Keane <justin@xxxxxxxxxxxx>
Date: Fri, 14 Jan 2011 12:35:43 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think I should also point out that I disclosed these vulnerabilities
starting in May of 2009 (http://www.madirish.net/?article=256, and
similarly http://www.madirish.net/?article=429) and went through this
same discussion already.

Justin Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey

On 01/13/2011 11:40 PM, YGN Ethical Hacker Group wrote:
> On Fri, Jan 14, 2011 at 4:28 AM, Justin Klein Keane <justin@xxxxxxxxxxxx> 
> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Drupal security has been aware of this issue for quite some time now.
>> But basically, as their response indicates, you need admin access to
>> exploit these issues.  However, if you have admin access you can execute
>> PHP and basically do anything you want.  Your vulnerability hinges on
>> being able to bypass the CSRF security in place in Drupal.  Seems like a
>> bit of a stretch to release this as an advisory.  Why not include the
>> fact that if you can bypass the CSRF detection you can also execute
>> arbitrary code with the privileges of the web server?
>>
> 
> 
> 
> "If you 0wn a server, you 0wn one machine"
> 
> "If you 0wn clients, you 0wn thousands of machine".
> 
> 
> http://cyberinsecure.com/?s=iframe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk0wiW8ACgkQkSlsbLsN1gCVogb/UblV3d/Cr/IjEw2iDImjRJ7i
tBwbNXt4TTKsgvjmTeR2kpy+KfVlJbF3z/+bozPhXokE0x8pN3ZsSq/Y+fymkeIh
ZQEc3JqibK3ouydisVB/mr9+K/Uu9Ob4z4povbhf+LaOT/LcoNOsLGdQBkopqEaO
uGxWAVJy9h4OrQmEcnK6epQLk41ho32woLveAarl/bKEiYouaxSNVFXEFt8Shsgg
Is4EBraRnezS2KreRobYNYyMXveC0WBIPR3OLTxVC8Eq050c7yp9pwYLy5Jx1AcM
P5LYv2smfmiQhhU8jrY=
=/g0a
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability
  - From: YGN Ethical Hacker Group
- Re: [Full-disclosure] Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability
  - From: Justin Klein Keane
- Re: [Full-disclosure] Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability
  - From: YGN Ethical Hacker Group

Prev by Date: Re: [Full-disclosure] Cross-Site Scripting vulnerability in Joostina
Next by Date: Re: [Full-disclosure] Getting Off the Patch
Previous by thread: Re: [Full-disclosure] Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability
Next by thread: [Full-disclosure] rpgrevolution.com SQL Injection
Index(es):
- Date
- Thread