I should note that Justin was a reporter of the issue to the Drupal Security Team. When writing the advisory he was mistakenly excluded. That's been corrected in the html version of this advisory http://drupal.org/node/1506562
On Wed, Mar 28, 2012 at 4:40 PM, Justin C. Klein Keane <[email protected]> wrote: > Exploit for bespoke: > <snip> > Patch: <snip> Note that Justin's POC and patch below only address the XSS issue and not the CSRF issue. Regards, Greg -- Director Security Services | +1-720-310-5623 Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
