[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability

To: Justin Klein Keane <justin@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
From: Andrew Farmer <andfarm@xxxxxxxxx>
Date: Thu, 15 Oct 2009 18:10:24 -0700

On 15 Oct 2009, at 07:24, Justin Klein Keane wrote:
> Applying the following patch mitigates these threats.
>
> - --- site_map/site_map.module    2009-09-30 15:09:49.295134033 -0400
> +++ site_map/site_map.module      2009-09-30 15:09:30.011119976 -0400
> @@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
>  switch ($path) {
>    case 'sitemap':
>      $output = _sitemap_get_message();
> - - -      return $output ? '<p>'. filter_xss($output) .'</p>' : '';
> +      return $output ? '<p>'. $output .'</p>' : '';
>  }
> }

Surely that should be the other way around?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
  - From: Justin Klein Keane

Prev by Date: [Full-disclosure] [USN-849-1] libsndfile vulnerabilities
Next by Date: [Full-disclosure] n.runs-SA-2009.007 - Adobe Acrobat - Invalid pointer write could lead to arbitrary code execution
Previous by thread: [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
Next by thread: Re: [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
Index(es):
- Date
- Thread