Full Disclosure: Re: [Security-news] SA-CONTRIB-2012-051 - Activity

Re: [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities

From: Greg Knaddison <greg.knaddison () acquia com>
Date: Thu, 29 Mar 2012 06:35:06 -0600

I should note that Justin was a reporter of the issue to the Drupal
Security Team. When writing the advisory he was mistakenly excluded.
That's been corrected in the html version of this advisory
http://drupal.org/node/1506562


On Wed, Mar 28, 2012 at 4:40 PM, Justin C. Klein Keane
<justin () madirish net> wrote:

Exploit for bespoke:

<snip>

Patch:


<snip>

Note that Justin's POC and patch below only address the XSS issue and
not the CSRF issue.

Regards,
Greg

--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

[Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities security-news (Mar 28)
- Re: [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities Justin C. Klein Keane (Mar 28)
  - Re: [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities Greg Knaddison (Mar 29)