Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Drupal Context Module XSS
From: "Justin C. Klein Keane" <jkleinkeane () gmail com>
Date: Tue, 11 May 2010 07:25:32 -0400

No, there are various types of admin privileges, such as admin bloocks, admin views, andmin content types and admin 
users.  On large sites it is common to divide up these privileges to various user groups.  Some are more powerful than 
others.  Admin blocks is generally used for layout and is not considered as powerful as, say, admin users.  XSS is 
particularly dangerous in Drupal because it can be used to launch XSRF that bypasses Drupals XSRF defenses.  Using XSS 
you can silently reset the super user password (which has all privs including the ability to craft PHP).  So, you could 
use XSS to attack site users or site admins.

"Andrew Farmer" <andfarm () gmail com> wrote:

On 10 May 2010, at 06:08, Justin C. Klein Keane wrote:
Drupal security responds that they do not coordinate security fixes for
modules in release candidate designation.  Vulnerability was reported to
the module maintainer via the public issue queue at the direction of
Drupal security.

Also, isn't it pretty well established by this point that Drupal generally doesn't consider XSS to be a vulnerability 
if you need an admin account to trigger it?
Justin Klein Keane
Sent from my Android please excuse any brevity.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]