1 capture

11 May 2024

Apr	MAY	Jun
	11
2023	2024	2025

success

fail

About this capture

COLLECTED BY

Organization: Archive Team

Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.

History is littered with hundreds of conflicts over the future of a community, group, location or business that were "resolved" when one of the parties stepped ahead and destroyed what was there. With the original point of contention destroyed, the debates would fall to the wayside. Archive Team believes that by duplicated condemned data, the conversation and debate can continue, as well as the richness and insight gained by keeping the materials. Our projects have ranged in size from a single volunteer downloading the data to a small-but-critical site, to over 100 volunteers stepping forward to acquire terabytes of user-created data to save for future generations.

The main site for Archive Team is at archiveteam.org and contains up to the date information on various projects, manifestos, plans and walkthroughs.

This collection contains the output of many Archive Team projects, both ongoing and completed. Thanks to the generous providing of disk space by the Internet Archive, multi-terabyte datasets can be made available, as well as in use by the Wayback Machine, providing a path back to lost websites and work.

Our collection has grown to the point of having sub-collections for the type of data we acquire. If you are seeking to browse the contents of these collections, the Wayback Machine is the best first stop. Otherwise, you are free to dig into the stacks to see what you may find.

The Archive Team Panic Downloads are full pulldowns of currently extant websites, meant to serve as emergency backups for needed sites that are in danger of closing, or which will be missed dearly if suddenly lost due to hard drive crashes or server failures.

Collection: ArchiveBot: The Archive Team Crowdsourced Crawler

ArchiveBot is an IRC bot designed to automate the archival of smaller websites (e.g. up to a few hundred thousand URLs). You give it a URL to start at, and it grabs all content under that URL, records it in a WARC, and then uploads that WARC to ArchiveTeam servers for eventual injection into the Internet Archive (or other archive sites).

To use ArchiveBot, drop by #archivebot on EFNet. To interact with ArchiveBot, you issue commands by typing it into the channel. Note you will need channel operator permissions in order to issue archiving jobs. The dashboard shows the sites being downloaded currently.

There is a dashboard running for the archivebot process at http://www.archivebot.com.

ArchiveBot's source code can be found at https://github.com/ArchiveTeam/ArchiveBot.

TIMESTAMPS

The Wayback Machine - http://web.archive.org/web/20240511150114/https://www.drupal.org/node/2495145

Drupal Core

Possible XSS in PuSHSubscriber.inc

Version:

7.x-2.x-dev

Component:

Code

Priority:

Critical

Category:

Bug report

Assigned:

Unassigned

Issue tags:

Security about tags

Security

It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details.
Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Reporter:

cashwilliams

Created:

26 May 2015 at 15:14 UTC

Updated:

1 Jul 2015 at 02:34 UTC

Jump to comment: Most recent, Most recent file

This has been cleared by Security Team for public due to Feeds not having a stable release

PuSHSubscriber.inc has print($_GET()) on 221
http://cgit.drupalcode.org/feeds/tree/libraries/PuSHSubscriber.inc?id=7....

elseif ($_GET['hub_mode'] == 'unsubscribe') {
$this->log('Verified "unsubscribe" request.');
$verify = TRUE;
}
if ($verify) {
header('HTTP/1.1 200 "Found"', NULL, 200);
print $_GET['hub_challenge'];
drupal_exit();
}

Comment	File	Size	Author
#7	feeds-pub-xss-2495145-7.patch	6.19 KB	twistor
#7
#7	feeds-pub-xss-2495145-7-should-fail.patch	1.73 KB	twistor
#7
#3	feeds-pub-xss-2495145-3.patch	4.46 KB	twistor
#3

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

cashwilliams CreditAttribution: cashwilliams commented 26 May 2015 at 15:21

Issue summary:

View changes

Log inorregister to post comments

Comment #2

greggles

he/him

English

Denver, Colorado, USA

CreditAttribution: greggles at CARD.com commented 28 May 2015 at 19:20

Priority:

Normal

» Critical

As far as I can tell this is reflected XSS that requires no interaction or permissions to trigger.

Feels more like a critical.

Log inorregister to post comments

Comment #3

twistor CreditAttribution: twistor commented 30 May 2015 at 03:49

Status:

Active

» Needs review

File	Size
feeds-pub-xss-2495145-3.patch	4.46 KB

Alright, changed things around a bit. The pubsubhubbub standard has changed quite a bit. verify_token is gone. This patch makes the logic much easier to understand.

Uses drupal_random_key(40) for the hmac secret.
check_plains() the challenge. <- This should solve the problem. From what I can tell, there aren't any restrictions on what the verify token can be, but this is the only way to fix the problem.

I have never looked at this code, ugh.

Log inorregister to post comments

Comment #4

30 May 2015 at 03:59

Status:

Needs review

» Needs work

The last submitted patch, 3: feeds-pub-xss-2495145-3.patch, failed testing.

Log inorregister to post comments

Comment #5

twistor CreditAttribution: twistor commented 30 May 2015 at 04:03

Version:	7.x-2.0-alpha8	» 7.x-2.x-dev
Status:	Needs work	» Needs review

Bumping to dev, since that bug that broke the test is already fixed.

Working on a test to verify the fix. Once it's done, I'll make a special release with just this patch in it.

Log inorregister to post comments

Comment #6

30 May 2015 at 04:03

twistor queued 3: feeds-pub-xss-2495145-3.patch for re-testing.

Log inorregister to post comments

Comment #7

twistor CreditAttribution: twistor commented 30 May 2015 at 04:39

File	Size
feeds-pub-xss-2495145-7-should-fail.patch	1.73 KB

feeds-pub-xss-2495145-7.patch	6.19 KB

Log inorregister to post comments

Comment #8

30 May 2015 at 04:55

The last submitted patch, 7: feeds-pub-xss-2495145-7-should-fail.patch, failed testing.

Log inorregister to post comments

Comment #9

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi at jobiqo - job board technology commented 8 June 2015 at 15:50

Status:

Needs review

» Reviewed & tested by the community

No direct print_r of $_GET anymore, looks good from a visual review.

Log inorregister to post comments

Comment #10

17 June 2015 at 02:27

twistor committed 211b7e7on7.x-2.x

Issue #2495145 by twistor, cashwilliams, greggles, klausi: Possible XSS...

Log inorregister to post comments

Comment #11

twistor CreditAttribution: twistor commented 17 June 2015 at 02:27

Status:

Reviewed & tested by the community

» Fixed

Log inorregister to post comments

Comment #12

1 July 2015 at 02:34

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Log inorregister to post comments

Social media

Security advisories

Jobs

Our community

Documentation

Drupal code base

Governance of community

Drupal is a registered trademarkofDries Buytaert.

Possible XSS in PuSHSubscriber.inc

Comments

News items

Our community

Documentation

Drupal code base

Governance of community