Drupal security: video example of user account hijacking with XSS

In this short screencast a variety of security holes are shown, as well as some malicious things which are made possible due to these lapses. We'll take a walk-through of two security issues showcased in the vulnerable.module, as well as two other exploits which I put together:

User account hijacking via cookie/session XSS thievery
User account hijacking via password-changing-inline-XSS

Read »

Created by Caleb 2 years 11 weeks ago – Made popular 2 years 11 weeks ago
Category: News Tags:

Login to post comments

Post under different account (hijacking) 2 years 8 weeks ago

Hello fellow Drupallers!

Because there is no importer for MyBB, I am in the process of manually importing every single thread of my previous forum on Drupal. This is very time-consuming, and dates are lost.

In order to make it bit faster, I would like to be able to change the user name of for a given post without having to log in with the said account.

Any idea on how to do it ?

Thank you.

Seems "pma" account is vulnerable if I use phpmyadmin. 2 years 29 weeks ago

Seems "pma" account is vulnerable if I use phpmyadmin. So I've decided to drop the pma account which can give you access mysql database without password. So my question is if I drop "pma" account by sql command through phpmyadmin will it create any problem for my running drupal site or any other issues? Please experts kindly advise me. Thank you.

Drupal HTTP session security vulnerability on wifi? (Firesheep) 1 year 29 weeks ago

So there's been a bit of a stir about this firefox extension firesheep which allows you to hijack popular website sessions on open wifi networks.

this intrusion is possible because most websites —including Facebook and Twitter— only encrypt the user's initial login.

Required Security Question to login for Admin users? 2 years 8 weeks ago

I've had issues with an individual trying to hack into my drupal account. Are there any modules that exist that require you to answer a security question, after logging in with your correct username and password, before being completely logged in? That would provide an extra level of security so even if the person was able to get your password, they'd still need to know what your security question was.

Does that make sense?

Cracking Drupal: Using XSS to steal access 1 year 16 weeks ago

We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; XSS can do everything you can do.

XSS cookie theft

Let's look at another example of an XSS exploit: stealing administrative access to a site.

Jim Berry: Using mixed HTTP(S) sessions securely and without loss of session data 14 weeks 6 days ago

Mixed sessions refers to providing, with respect to a user visiting a site, some content over an insecure (HTTP) connection and other content over a secure (HTTPS) connection. A quick online search reveals the widespread problem of supporting mixed sessions. For example, simply redirecting to a secure connection does not eliminate the possibility of session hijacking. To avoid the issues, some sites have gone to all HTTPS sessions (e.g.

SA-CONTRIB-2012-006 XSS and CSRF in Multiple Modules - Supercron, Taxotouch, Admin:hover, Taxonomy Navigator no longer supported 18 weeks 6 days ago

Advisory ID: DRUPAL-SA-CONTRIB-2012-006
Projects: SuperCron, Taxotouch, Taxonomy Navigator, Admin:hover (third-party modules)
Version: 6.x, 7.x
Date: 2012-January-11
Security risk: Critical
Exploitable f

Is it Insane to Allow Comments without an Account? 1 year 28 weeks ago