"Ahmed Saad has brought to our attention a creative way to enter malicious HTML content. Upon further investigation we found that interpretation of broken HTML/SGML and various quirks in interpretation of correctly formed, but non-sensical attribute values by various browsers also allows entering malicious HTML content. These can lead to XSS attacks."
- Advisory ID: DRUPAL-SA-2005-007
- Project: Drupal core
- Date: 2005-11-30
- Security risk: less critical
- Impact: normal
- Where: from remote
- Vulnerability: XSS
Your humble writer is the aforementioned vulnerability reporter and exploit coder. It was first test and verified on this drupal installation! (beyond my test environment ;)
Good, Thans for testing on a
Good, Thans for testing on a community website. No farther comments!
PS. EGLUG updated.
Cheers,
i told you disable the vulner
i told you disable the vulnerable tags ;)
What are you talking about ?
What are you talking about ?
I'm not supposed to change anthing just because "someone" asked me to do it ?
ok you just ignored a warning
ok you just ignored a warning about a potential 0-day vulnerability..
ah forgot to say that i explo
ah forgot to say that i exploited my own account!
It doesn't matter withme.
It doesn't matter withme.
Anyway this is my own opinion, Feel free to ignore it.
well, and how was i supposed
well, and how was i supposed to warn you without verifing that the version installed at the time is vulnerable?!!
You can pul the whole EGLUG D
You can pull the whole EGLUG DocumentRoot from my CVS.
i asked about such thing befo
Wht if I didn't read such pos
Wht if I didn't read such post ?
If you want to ask about the eglug drupal installation you should make it a separate post so people can identify it.