[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Drupal XML-Sitemap 5.x-1.6 XSS Vulnerability
From: Black Packeteer <black.packeteer () gmail ! com>
Date: 2009-09-28 16:54:42
Message-ID: d60b874c0909280954y6ad348d8p9a6bbcfa8fe43dc5 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The Drupal XML Sitemap module version 5.x-1.6 (
http://drupal.org/project/xmlsitemap) contains a cross site scripting
vulnerability because it fails to properly sanitize 'Path' output in the XML
Sitemap administration area. If you install XML Sitemap and click on
Administer, Site configuration, XML sitemap, then click on the Additional
tab and put JavaScript into the 'Path' text box and save the additional link
when the page refreshes the JavaScript is rendered by Drupal. This means
that users who can administer the additional links in XML Sitemap can attack
other users who view that page.
[Attachment #5 (text/html)]
The Drupal XML Sitemap module version 5.x-1.6 (<a \
href="http://drupal.org/project/xmlsitemap">http://drupal.org/project/xmlsitemap</a>) contains \
a cross site scripting vulnerability because it fails to properly sanitize 'Path' \
output in the XML Sitemap administration area. If you install XML Sitemap and click on \
Administer, Site configuration, XML sitemap, then click on the Additional tab and put \
JavaScript into the 'Path' text box and save the additional link when the page \
refreshes the JavaScript is rendered by Drupal. This means that users who can administer the \
additional links in XML Sitemap can attack other users who view that page. <br>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic