Sunday, 11 March 2012

[EN] Drupal 7.12 bug - Updated 9:0

I'm working on exploit for latest Drupal (7.12). 

Now there is "next part of fuzzing" started, so post will be updated soon (maybe today/*tommorow).
Anyway: I need some help with writing patch. 
If You are interested, let me know! ;)

 *... today ;) *
Fuzzing still in progress (with a lot of "reading";))
But for now we can say:
  • for not logged : there is information disclosure (or I will extend it if possible to something more useful)
  • for logged-in as a normal/registered/authenticated user: ... ;) 

* 12.03.2012 - 8:30 - Updated *
After 2 days, I have 3 different bugs for latest Drupal.
So, if You're still interested in exploit/patch process development, let me know! ;)

* 12.03.2012 - 9:52 - Updated *
Wow, it will be a very busy Monday ;)

I found another bug in Drupal, this time is in admin panel, (but in case when 'normal user' will do sql-injection from bugs I described at the top of this post, there is a risk of be-0wned ;P)

From 'simple' fuzzing of my 'simple' tools, there is simple 'total score': 
- 3 sql-injection (or will be extended to something more/less)
- 5 information disclosure bugs 

*13.03.2012 - 3:36 - Updated*
 Ok. So for now there is 9 vulnerabilities. :)

Possible both situations:
- sql injection / information disclosure from normal/registered user
- like before, but for admin...

To be continued... ;) 


  1. cheap designer sunglasses:
    hi, thanks for comments;)

    and btw nice to know You're interested in Drupal,
    because I think there should be more to present ;)
    Mail me if You have more questions @ contact.

    Anyway as I'm looking for a job now, so March/April is very busy.
    Topic will be updated, but now I'm going to next part of interview. ;)


  2. gosh..i never believe u would reply

    thanks! i wish u good luck when finding job!

    yes,me again,

  3. oakley discount:
    it's a pleasure to reply ;) Feedback is very imoprtant ;P

    Regards o/


What do You think...?