exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal 6.22 Cross Site Scripting

Drupal 6.22 Cross Site Scripting
Posted Jun 28, 2011
Authored by MustLive

Drupal versions 6.22 and below suffer from brute forcing and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 1eaf996a094a3644698c4b0c8591e44ba2fae4746290b3b7d1beca556b732e0d

Drupal 6.22 Cross Site Scripting

Change Mirror Download
-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.22 and previous versions. Taking into account that
developers didn't fixed these holes, then versions 7.x also must be
vulnerable.

----------
Details:
----------

XSS (WASC-08):

At pages with forms (i.e. at comment page http://site/comment/reply/1, as
add data forms, as edit data forms), which are protected by token from CSRF,
it's possible to conduct reflected XSS attack. Even without need to know
form_token. The hole is similar to previous XSS, but in this case it's
reflected XSS (not persistent), much more forms are affected (code will
execute not only at edit forms, but also at add forms) and there is no need
to know form_token.

The attack is conducting on any forms with turned on FCKeditor/CKeditor.
Such attack can be conducted and on forms with TinyMCE - I wrote already
about such vulnerabilities in PHP-Nuke via TinyMCE
(http://packetstormsecurity.org/files/view/99162/phpnuke-iaaxss.txt).

If it's edit data form, then the attack can be conducted only on logged-in
user which is an owner of this account (who posted this comment, etc.) or on
admin of the site. And if it's add data form (i.e. comment), then it's
possible to conduct attacks on admin and any logged-in users. Attacking code
can be in parameter comment, body or other parameter depending on the form.

Exploit:

http://websecurity.com.ua/uploads/2011/Drupal%20XSS.html

Brute Force (WASC-11):

In login form in sidebar, which is placed at any external page of the site
(http://site/node), there is no reliable protection against brute force
attacks. There is no captcha in Drupal itself, and existent Captcha module
(and also all plugins for it, such as reCAPTCHA) is vulnerable, as I wrote
already (http://websecurity.com.ua/4763/). Exploit is differ from previous
BF: if in previous Brute Force vulnerability form_id equal user_login, then
in this one form_id equal user_login_block.

------------
Timeline:
------------

2010.12.11 - when I informed developers about previous multiple
vulnerabilities in Drupal, I told them briefly about these holes.
2011.04.13 - announced at my site.
2011.04.14 - informed developers.
2011.06.25 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5077/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    0 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close