Drupal Addressbook Module Multiple Input Validation Vulnerabilities
BID:53350
Info
Drupal Addressbook Module Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 53350 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 02 2012 12:00AM |
| Updated: | May 02 2012 12:00AM |
| Credit: | Michael Hess |
| Vulnerable: |
Drupal Addressbook 6.x-4.2 |
| Not Vulnerable: | |
Discussion
Drupal Addressbook Module Multiple Input Validation Vulnerabilities
The Addressbook module for Drupal is prone to multiple input-validation vulnerabilities including:
1. A cross-site request forgery vulnerability
2. A cross-site scripting vulnerability
3. An SQL injection vulnerability
Exploiting these issues could allow an attacker to to perform certain administrative actions and gain unauthorized access to the affected application, steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Addressbook 6.x-4.2 is vulnerable; prior versions may also be affected.
The Addressbook module for Drupal is prone to multiple input-validation vulnerabilities including:
1. A cross-site request forgery vulnerability
2. A cross-site scripting vulnerability
3. An SQL injection vulnerability
Exploiting these issues could allow an attacker to to perform certain administrative actions and gain unauthorized access to the affected application, steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Addressbook 6.x-4.2 is vulnerable; prior versions may also be affected.
Exploit / POC
Drupal Addressbook Module Multiple Input Validation Vulnerabilities
Attackers can exploit these issues using browser. To exploit cross-site scripting and cross-site request forgery issues, the attacker must entice an unsuspecting victim to follow a malicious URI.
Attackers can exploit these issues using browser. To exploit cross-site scripting and cross-site request forgery issues, the attacker must entice an unsuspecting victim to follow a malicious URI.
Solution / Fix
Drupal Addressbook Module Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].