[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Drupal XML-Sitemap 5.x-1.6 XSS Vulnerability



The Drupal XML Sitemap module version 5.x-1.6 (
http://drupal.org/project/xmlsitemap) contains a cross site scripting
vulnerability because it fails to properly sanitize 'Path' output in the XML
Sitemap administration area.  If you install XML Sitemap and click on
Administer, Site configuration, XML sitemap, then click on the Additional
tab and put JavaScript into the 'Path' text box and save the additional link
when the page refreshes the JavaScript is rendered by Drupal.  This means
that users who can administer the additional links in XML Sitemap can attack
other users who view that page.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/