Full Disclosure mailing list archives

Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability

From: Andrew Farmer <andfarm () gmail com>
Date: Thu, 15 Oct 2009 18:10:24 -0700

On 15 Oct 2009, at 07:24, Justin Klein Keane wrote:

Applying the following patch mitigates these threats.

- --- site_map/site_map.module    2009-09-30 15:09:49.295134033 -0400
+++ site_map/site_map.module      2009-09-30 15:09:30.011119976 -0400
@@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
 switch ($path) {
   case 'sitemap':
     $output = _sitemap_get_message();
- - -      return $output ? '<p>'. filter_xss($output) .'</p>' : '';
+      return $output ? '<p>'. $output .'</p>' : '';
 }
}


Surely that should be the other way around?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Drupal XML Sitemap 6.x-1.1 XSS Vulnerability Justin Klein Keane (Oct 15)
- Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability Andrew Farmer (Oct 15)
- Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability Jan G.B. (Oct 16)
- Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability Justin Klein Keane (Oct 16)