'[Full-disclosure] Vulnerabilities in Print for Drupal'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Vulnerabilities in Print for Drupal
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2011-06-30 20:02:31
Message-ID: 001401cc3760$cb74cf80$9b7a6fd5 () ml
[Download RAW message or body]

Hello list!

I want to warn you about Abuse of Functionality and Insufficient
Anti-automation vulnerabilities in Print module for Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are versions Print 5.x-4.11, 6.x-1.12, 7.x-1.x-dev and previous
versions.

----------
Details:
----------

Abuse of Functionality (WASC-42):

Form for sending of content by e-mail (http://site/printmail/1) can be used
for sending of spam, at that it's possible to set all main fields (which can
be used for spoofing): return address (by changing it in profile), name,
e-mail or few e-mails of recipients, subject and text of the message. Also
it's possible to select for sending in letter's text the pages made by the
user itself, which allows to create spam messages at the site for the
following sending of them by e-mail (for maximum control of content of
spam-letters).

Insufficient Anti-automation (WASC-21):

At page for sending of content by e-mail (http://site/printmail/1) there is
no protection from automated requests (captcha). Which allows automated
sending of spam on arbitrary e-mails. Limit on maximum of 3 messages per
hour is bypassing by sending of messages from different IP (even being
logged into the same account).

Exploit:

http://websecurity.com.ua/uploads/2011/Drupal%20Print%20IAA.html

And taking into account two Brute Force vulnerabilities in Drupal (lack of
the captcha), which I mentioned about earlier, then automated login is
possible, which will allow to completely automate this process. Which I
wrote about in the article Attacks on unprotected login forms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).

------------
Timeline:
------------

2011.04.15 - announced at my site.
2011.04.17 - informed developer.
2011.06.30 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5083/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic