Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Drupal 6.22 Cross Site Scripting

🗓️ 28 Jun 2011 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 44 Views

Drupal 6.22 Cross Site Scripting and Brute Force vulnerabilities in forms and login

Code
`-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are Drupal 6.22 and previous versions. Taking into account that  
developers didn't fixed these holes, then versions 7.x also must be  
vulnerable.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
At pages with forms (i.e. at comment page http://site/comment/reply/1, as  
add data forms, as edit data forms), which are protected by token from CSRF,  
it's possible to conduct reflected XSS attack. Even without need to know  
form_token. The hole is similar to previous XSS, but in this case it's  
reflected XSS (not persistent), much more forms are affected (code will  
execute not only at edit forms, but also at add forms) and there is no need  
to know form_token.  
  
The attack is conducting on any forms with turned on FCKeditor/CKeditor.  
Such attack can be conducted and on forms with TinyMCE - I wrote already  
about such vulnerabilities in PHP-Nuke via TinyMCE  
(http://packetstormsecurity.org/files/view/99162/phpnuke-iaaxss.txt).  
  
If it's edit data form, then the attack can be conducted only on logged-in  
user which is an owner of this account (who posted this comment, etc.) or on  
admin of the site. And if it's add data form (i.e. comment), then it's  
possible to conduct attacks on admin and any logged-in users. Attacking code  
can be in parameter comment, body or other parameter depending on the form.  
  
Exploit:  
  
http://websecurity.com.ua/uploads/2011/Drupal%20XSS.html  
  
Brute Force (WASC-11):  
  
In login form in sidebar, which is placed at any external page of the site  
(http://site/node), there is no reliable protection against brute force  
attacks. There is no captcha in Drupal itself, and existent Captcha module  
(and also all plugins for it, such as reCAPTCHA) is vulnerable, as I wrote  
already (http://websecurity.com.ua/4763/). Exploit is differ from previous  
BF: if in previous Brute Force vulnerability form_id equal user_login, then  
in this one form_id equal user_login_block.  
  
------------  
Timeline:  
------------  
  
2010.12.11 - when I informed developers about previous multiple  
vulnerabilities in Drupal, I told them briefly about these holes.  
2011.04.13 - announced at my site.  
2011.04.14 - informed developers.  
2011.06.25 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/5077/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jun 2011 00:00Current
7.4High risk
Vulners AI Score7.4
drupal 6.22cross site scriptingbrute forcecsrffckeditorckeditortinymcelogin formbrute force attackscaptchaexploitwebsecurity.
44