[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities

To: "Justin C. Klein Keane" <justin@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities
From: Greg Knaddison <greg.knaddison@xxxxxxxxxx>
Date: Thu, 29 Mar 2012 06:35:06 -0600

I should note that Justin was a reporter of the issue to the Drupal
Security Team. When writing the advisory he was mistakenly excluded.
That's been corrected in the html version of this advisory
http://drupal.org/node/1506562

On Wed, Mar 28, 2012 at 4:40 PM, Justin C. Klein Keane
<justin@xxxxxxxxxxxx> wrote:
> Exploit for bespoke:
>
<snip>

> Patch:

<snip>

Note that Justin's POC and patch below only address the XSS issue and
not the CSRF issue.

Regards,
Greg

--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities
  - From: security-news
- Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities
  - From: Justin C. Klein Keane

Prev by Date: [Full-disclosure] Multiple PTK DFlabs failures to restrict access to sensitive data
Next by Date: [Full-disclosure] New XSS vulnerabilities in Register Plus Redux for WordPress
Previous by thread: Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities
Next by thread: [Full-disclosure] [Security-news] SA-CONTRIB-2012-052 - Node Limit Number - Cross Site Request Forgery
Index(es):
- Date
- Thread