2009/10/15 Justin Klein Keane <[email protected]> > Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable. [...]
> The Site map module contains a cross site scripting vulnerability > because it does not properly sanitize output of titles before display. > [...] > To carry out a Site map based XSS > exploit the attacker must have 'administer site configuration' permissions. > > I'm not into drupal that much, but with the right "administer site configuration" you already have total control over quite everything [1], For example you can administer themes, add your php or JS code right thereā¦ and you can do a lot more. [1] http://drupal.org/project/config_perms
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
