Re: Drupal all versiyon xss cehennem.org

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Drupal all versiyon xss cehennem.org
From: security@xxxxxxxxxx
Date: 3 Jan 2006 21:43:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I have inspected the latest XSS filter mechanism of Drupal which is included in 
4.5.6 and 4.6.4 versions and onward and both the decimal and the hexadecimal 
version is escaped when choosing the  "Filtered HTML" format. The "Full HTML" 
format, as its name implies, does not filter HTML and its documented to be so.

I am not aware of any contact attempts w/ the security team before mailing this 
report to the list.

Regards

Karoly Negyesi
Security team coordinator

Prev by Date: WMF round-up, updates and de-mystification
Next by Date: WMF SETABORTPROC exploit
Previous by thread: Re: Drupal all versiyon xss cehennem.org
Next by thread: [eVuln] Chipmunk Guestbook XSS Vulnerability
Index(es):
- Date
- Thread