exploit the possibilities
Showing 76 - 100 of 100 RSS Feed

Files

Drupal Heartbeat 6.x / 7.x Cross Site Request Forgery
Posted Sep 6, 2012
Authored by Greg Knaddison | Site drupal.org

Drupal Heartbeat versions 6.x and 7.x suffer from a cross site request forgery vulnerability.

tags | advisory, csrf
MD5 | 65f78c04cd7fbe4ed2637c65f71ee0d8

Related Files

DRUPAL-SA-2007-017.txt
Posted Jul 31, 2007
Authored by Heine Deelstra | Site drupal.org

Drupal security advisory - Several parts in Drupal core are not protected against cross site request forgeries due to improper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site. Drupal versions 5.x below 5.2 are affected.

tags | advisory
MD5 | b734838a39dd108a42a7f302a14031cf
DRUPAL-SA-2007-005.txt
Posted Jan 31, 2007
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory - Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. Affected include Drupal 4.7.x versions before Drupal 4.7.6 and Drupal 5.x versions before Drupal 5.1.

tags | advisory, arbitrary
MD5 | ed1adc7b529116a1736f9a8e799514d0
DRUPAL-SA-2007-002.txt
Posted Jan 7, 2007
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory - The way page caching was implemented allows a denial of service attack. An attacker has to have the ability to post content on the site. He or she would then be able to poison the page cache, so that it returns cached 404 page not found errors for existing pages. If the page cache is not enabled, your site is not vulnerable. The vulnerability only affects sites running on top of MySQL.

tags | advisory, denial of service
MD5 | 4ee5ccf0b9c894440a06c49e399edf6f
DRUPAL-SA-2007-001.txt
Posted Jan 7, 2007
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory - A few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim's session. Such an attack may lead to administrator access if certain conditions are met.

tags | advisory, arbitrary
MD5 | c63802f3ddcacfd814fb71e3b5b7048f
DRUPAL-SA-2006-024.txt
Posted Oct 21, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory - DRUPAL-SA-2006-024: Multiple XSS (cross site scripting) vulnerabilities have been discovered.

tags | advisory, vulnerability, xss
MD5 | de0edab9e8d4561d53f094f8bb06a43b
DRUPAL-SA-2006-025.txt
Posted Oct 21, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-025: Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a website created by an attacker. This website will now be able to submit any form to the Drupal site with the privileges of user 1, either by enticing the user to submit a form or by automated means. An attacker can exploit this vulnerability by changing passwords, posting PHP code or creating new users, for example. The attack is only limited by the privileges of the session it executes in.

tags | advisory, web, php
MD5 | 539e9d2f863163f22bcfc61d2c1865d5
DRUPAL-SA-2006-026.txt
Posted Oct 21, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-026: A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.

tags | advisory
MD5 | 9a6aef62ad38a0e2a25cb7cfd9d39d92
DRUPAL-SA-2006-011.txt
Posted Aug 17, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-011: A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions 4.6 and 4.7 are affected.

tags | advisory, xss
MD5 | 63da241f456cfc9b75e2ca8325df4bbe
DRUPAL-SA-2006-005.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-005: A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer.

tags | advisory
MD5 | 34f3d794cb2ffae1f36056909dc2b876
DRUPAL-SA-2006-008.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-008: Bart Jansens reported that it is possible for a malicious user to insert and execute XSS into free tagging terms, due to lack of validation on output of the page title. The fix wraps the display of terms in check_plain().

tags | advisory
MD5 | f5a678d3c77700484b9404f1451dc065
DRUPAL-SA-2006-007.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-007: Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser under certain common Apache configurations, it will cause the script inside to be executed. We deemed this exploit critical and released Drupal 4.6.7 and 4.7.1 six hours after the report was filed. The fix was to create a .htaccess file to remove all dynamic script handlers, such as PHP, from the "files" directory.

tags | advisory, web, php
MD5 | 2a54a65484f220d3d3d64521c05cfa2d
DRUPAL-SA-2006-006.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-006: Certain -- alas, typical -- configurations of Apache allow execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your "files" directory to protect you.

tags | advisory, arbitrary
MD5 | ee0e7bbcaacd9d55083ac6ad2676e689
Drupal-4.7.txt
Posted May 26, 2006
Authored by rgod | Site retrogod.altervista.org

Drupal versions less than or equal to 4.7 attachment mod_mime poc exploit.

tags | exploit
MD5 | c14c68c560eeda956bd59c8cc892cad3
DRUPAL-SA-2006-004.txt
Posted Mar 14, 2006
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal security advisory - Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to Drupal sites being used to send unwanted email.

tags | advisory
MD5 | 23c5f84801e924d2557127a4cb280e67
DRUPAL-SA-2006-003.txt
Posted Mar 14, 2006
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal security advisory - If someone creates a clever enough URL and convinces you to click on it, and you later log in but you do not log off then the attacker may be able to impersonate you.

tags | advisory
MD5 | 82c398f3b206cdd5cf52c14c0c661178
DRUPAL-SA-2006-002.txt
Posted Mar 14, 2006
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal security advisory - Some user input sanity checking was missing. This could lead to possible cross-site scripting (XSS) attacks.

tags | advisory, xss
MD5 | 0d0fc2357d0647f1a7f5e682c944eded
DRUPAL-SA-2006-001.txt
Posted Mar 14, 2006
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal security advisory - If you use menu.module to create a menu item, the page you point to will be accessible to all, even if it is an admin page.

tags | advisory
MD5 | 41bef9b37bbb459f57ed2c0c86afb5c1
drupal.txt
Posted Jan 3, 2006
Authored by Liz0ziM | Site biyo.tk

Drupal is susceptible to cross site scripting attacks via IMG tags.

tags | exploit, xss
MD5 | 435c1a197381b2c0f151a3a79bf6cda4
DRUPAL-SA-2005-009.txt
Posted Dec 3, 2005
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal versions 4.6.0 through 4.6.3 suffer from an authentication bypass flaw when using PHP5.

tags | advisory
MD5 | e4ecdd72efc06800c38b45f52f3951c6
DRUPAL-SA-2005-008.txt
Posted Dec 3, 2005
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal versions 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 suffer a script injection flaw via attached files.

tags | advisory
MD5 | 8734b78506a3e31ed0112a6d7a5d6336
DRUPAL-SA-2005-007.txt
Posted Dec 3, 2005
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal versions 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 suffer from cross site scripting flaws due to various quirks in interpretation of non-sensical attribute values.

tags | advisory, xss
MD5 | ff23fc8650f86f3ccd27f330235ba32c
DRUPAL-SA-2005-004.txt
Posted Aug 17, 2005
Authored by Uwe Hermann | Site drupal.org

Stefan Esser of the Hardened-PHP Project reported a serious vulnerability in the third-party XML-RPC library included with some Drupal versions. An attacker could execute arbitrary PHP code on a target site.

tags | advisory, arbitrary, php
MD5 | 9b6cdc9463dc6ff9195a8a0aac831328
DRUPAL-SA-2005-003.txt
Posted Jul 1, 2005
Authored by Uwe Hermann | Site drupal.org

A flaw has been discovered in the third-party XML-RPC library included with Drupal. An attacker could execute arbitrary PHP code on a target site.

tags | advisory, arbitrary, php
MD5 | b89ee85cbcbfc655d22d82f97b68a289
DRUPAL-SA-2005-002.txt
Posted Jul 1, 2005
Authored by Uwe Hermann | Site drupal.org

Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed.

tags | advisory, arbitrary, php
MD5 | 403e726f5adb10f2049d93abc4ca009e
DRUPAL-SA-2005-001.txt
Posted Jun 18, 2005
Authored by Uwe Hermann | Site drupal.org

The Drupal Security Team has found that the privilege system of Drupal can be circumvented in a very special case because an input check is not implemented properly.

tags | advisory
MD5 | f20cf0cb4f0aa3d583ce9c5f96cbaf23
Page 4 of 4
Back1234Next

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close