The Drupal Storm module 1.32 cross site scripting
people, tasks, and project. It is used on thousands of sites according to
http://drupal.org/project/usage/storm. Storm version 1.32 have a lots of
cross site scripting vulns.
Sploits -
* Make or view a Storm organization at ?q=node/add/stormorganization
* for the Fullname, address,
city, state,
phone, and taxid values
* Save and watch scripts
* Make new person, ?q=node/add/stormperson
* for the Name, enter and
save it
* Make new project at ?q=node/add/stormproject, use anything and save
* Make new task at ?q=node/add/stormtask using this:
* for Step no. and Title
* Go at ?q=node/add/stormticket
* Change twice the 'Project:' drop-down to see js alerts
* Make new ticket at ?q=node/add/stormticket
* Go to Timetracking screen at ?q=node/add/stormtimetracking
* Change the 'Project:' drop-down to view alerts
References : http://securityreason.com/wlb_show/WLB-2010050075
- The Drupal Storm module 1.32 cross site scripting
- Unknown
- May 18, 2010
- No comments:
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment
silahkan tinggalkan komentar anda disini .. :D