Posting this on behalf of the security team - since this module has no stable releases, this security issue may be fixed in public.

Possible CSRF here - POST is used without checking for any form or URL token.

14 	function drippic_upload($function = null){
15 	global $base_url;
16 	
17 	// The vars send by Tweetie for iPhone.
18 	$username = $_POST['username'];
19 	$password = $_POST['password'];
20 	$tweet = $_POST['message'];
21 	$media = $_FILES['media'];
22 	if(drupal_is_denied('user',$username)){
23 	header('HTTP/1.1 401 Unauthorized');
24 	return 'File error code: ' . $media['error'];
25 	}
26 	$output = '<?xml version="1.0" encoding="UTF-8"?>';
27 	
28 	$response = array(
29 	'key' => 'rsp',
30 	);
31 	
32 	if(isset($username) && isset($password) && isset($tweet) && isset($media)){
33 	$account = drippic_load_twitter_user($username,$password);
34 	$nid = drippic_create_node($tweet ,$media, $account);

In conjunction, possible XSS vector here since watchdog+dblog does not sanitize its output:

134 	node_save($node);
135 	watchdog('drippic','<pre>'.print_r($node,true).'</pre>');
136 	return $node->nid;
137 	}

http://api.drupal.org/api/drupal/modules--dblog--dblog.admin.inc/functio...

Comments

timmillwood’s picture

timmillwood
Primary language English
Location 🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK
commented
Status: Active » Needs work

The drippic_upload() function is not needed now Twitter doesn't support basic auth, this will be removed asap.

There are far too many watchdog messages in the module, these need removing.