[41917] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Drupal all versiyon xss cehennem.org

daemon@ATHENA.MIT.EDU (security@drupal.org)
Tue Jan 3 16:41:39 2006

Date: 3 Jan 2006 21:43:49 -0000
Message-ID: <20060103214349.4169.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: security@drupal.org
To: bugtraq@securityfocus.com

I have inspected the latest XSS filter mechanism of Drupal which is included in 4.5.6 and 4.6.4 versions and onward and both the decimal and the hexadecimal version is escaped when choosing the  "Filtered HTML" format. The "Full HTML" format, as its name implies, does not filter HTML and its documented to be so.

I am not aware of any contact attempts w/ the security team before mailing this report to the list.

Regards

Karoly Negyesi
Security team coordinator


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[41917] in bugtraq

Re: Drupal all versiyon xss cehennem.org

daemon@ATHENA.MIT.EDU (security@drupal.org)Tue Jan 3 16:41:39 2006

daemon@ATHENA.MIT.EDU (security@drupal.org)
Tue Jan 3 16:41:39 2006